1 /* 2 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 * 5 * STREAMS Crypto Module 6 * 7 * This module is used to facilitate Kerberos encryption 8 * operations for the telnet daemon and rlogin daemon. 9 * Because the Solaris telnet and rlogin daemons run mostly 10 * in-kernel via 'telmod' and 'rlmod', this module must be 11 * pushed on the STREAM *below* telmod or rlmod. 12 * 13 * Parts of the 3DES key derivation code are covered by the 14 * following copyright. 15 * 16 * Copyright (C) 1998 by the FundsXpress, INC. 17 * 18 * All rights reserved. 19 * 20 * Export of this software from the United States of America may require 21 * a specific license from the United States Government. It is the 22 * responsibility of any person or organization contemplating export to 23 * obtain such a license before exporting. 24 * 25 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 26 * distribute this software and its documentation for any purpose and 27 * without fee is hereby granted, provided that the above copyright 28 * notice appear in all copies and that both that copyright notice and 29 * this permission notice appear in supporting documentation, and that 30 * the name of FundsXpress. not be used in advertising or publicity pertaining 31 * to distribution of the software without specific, written prior 32 * permission. FundsXpress makes no representations about the suitability of 33 * this software for any purpose. It is provided "as is" without express 34 * or implied warranty. 35 * 36 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 37 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 38 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 39 */ 40 #pragma ident "%Z%%M% %I% %E% SMI" 41 42 #include <sys/types.h> 43 #include <sys/sysmacros.h> 44 #include <sys/errno.h> 45 #include <sys/debug.h> 46 #include <sys/time.h> 47 #include <sys/stropts.h> 48 #include <sys/stream.h> 49 #include <sys/strsubr.h> 50 #include <sys/strlog.h> 51 #include <sys/cmn_err.h> 52 #include <sys/conf.h> 53 #include <sys/sunddi.h> 54 #include <sys/kmem.h> 55 #include <sys/strsun.h> 56 #include <sys/random.h> 57 #include <sys/types.h> 58 #include <sys/byteorder.h> 59 #include <sys/cryptmod.h> 60 #include <sys/crc32.h> 61 #include <sys/policy.h> 62 63 #include <sys/crypto/api.h> 64 65 #include <sys/strft.h> 66 /* 67 * Function prototypes. 68 */ 69 static int cryptmodopen(queue_t *, dev_t *, int, int, cred_t *); 70 static void cryptmodrput(queue_t *, mblk_t *); 71 static void cryptmodwput(queue_t *, mblk_t *); 72 static int cryptmodclose(queue_t *); 73 static int cryptmodwsrv(queue_t *); 74 static int cryptmodrsrv(queue_t *); 75 76 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp); 77 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp); 78 79 #define CRYPTMOD_ID 5150 80 81 #define CFB_BLKSZ 8 82 83 #define K5CLENGTH 5 84 85 static struct module_info cryptmod_minfo = { 86 CRYPTMOD_ID, /* mi_idnum */ 87 "cryptmod", /* mi_idname */ 88 0, /* mi_minpsz */ 89 INFPSZ, /* mi_maxpsz */ 90 65536, /* mi_hiwat */ 91 1024 /* mi_lowat */ 92 }; 93 94 static struct qinit cryptmod_rinit = { 95 (int (*)())cryptmodrput, /* qi_putp */ 96 cryptmodrsrv, /* qi_svc */ 97 cryptmodopen, /* qi_qopen */ 98 cryptmodclose, /* qi_qclose */ 99 NULL, /* qi_qadmin */ 100 &cryptmod_minfo, /* qi_minfo */ 101 NULL /* qi_mstat */ 102 }; 103 104 static struct qinit cryptmod_winit = { 105 (int (*)())cryptmodwput, /* qi_putp */ 106 cryptmodwsrv, /* qi_srvp */ 107 NULL, /* qi_qopen */ 108 NULL, /* qi_qclose */ 109 NULL, /* qi_qadmin */ 110 &cryptmod_minfo, /* qi_minfo */ 111 NULL /* qi_mstat */ 112 }; 113 114 static struct streamtab cryptmod_info = { 115 &cryptmod_rinit, /* st_rdinit */ 116 &cryptmod_winit, /* st_wrinit */ 117 NULL, /* st_muxrinit */ 118 NULL /* st_muxwinit */ 119 }; 120 121 typedef struct { 122 uint_t hash_len; 123 uint_t confound_len; 124 int (*hashfunc)(); 125 } hash_info_t; 126 127 #define MAX_CKSUM_LEN 20 128 #define CONFOUNDER_LEN 8 129 130 #define SHA1_HASHSIZE 20 131 #define MD5_HASHSIZE 16 132 #define CRC32_HASHSIZE 4 133 134 static int crc32_calc(uchar_t *, uchar_t *, uint_t); 135 static int md5_calc(uchar_t *, uchar_t *, uint_t); 136 static int sha1_calc(uchar_t *, uchar_t *, uint_t); 137 138 static hash_info_t null_hash = {0, 0, NULL}; 139 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc}; 140 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc}; 141 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc}; 142 143 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID; 144 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID; 145 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID; 146 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID; 147 148 static int kef_crypt(struct cipher_data_t *, void *, 149 crypto_data_format_t, size_t, int); 150 static mblk_t * 151 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *, 152 mblk_t *, hash_info_t *); 153 static mblk_t * 154 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *, 155 mblk_t *, hash_info_t *); 156 157 static int 158 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int); 159 160 /* 161 * This is the loadable module wrapper. 162 */ 163 #include <sys/modctl.h> 164 165 static struct fmodsw fsw = { 166 "cryptmod", 167 &cryptmod_info, 168 D_MP | D_MTQPAIR 169 }; 170 171 /* 172 * Module linkage information for the kernel. 173 */ 174 static struct modlstrmod modlstrmod = { 175 &mod_strmodops, 176 "STREAMS encryption module %I%", 177 &fsw 178 }; 179 180 static struct modlinkage modlinkage = { 181 MODREV_1, 182 &modlstrmod, 183 NULL 184 }; 185 186 int 187 _init(void) 188 { 189 return (mod_install(&modlinkage)); 190 } 191 192 int 193 _fini(void) 194 { 195 return (mod_remove(&modlinkage)); 196 } 197 198 int 199 _info(struct modinfo *modinfop) 200 { 201 return (mod_info(&modlinkage, modinfop)); 202 } 203 204 static void 205 cleanup(struct cipher_data_t *cd) 206 { 207 if (cd->key != NULL) { 208 bzero(cd->key, cd->keylen); 209 kmem_free(cd->key, cd->keylen); 210 cd->key = NULL; 211 } 212 213 if (cd->ckey != NULL) { 214 /* 215 * ckey is a crypto_key_t structure which references 216 * "cd->key" for its raw key data. Since that was already 217 * cleared out, we don't need another "bzero" here. 218 */ 219 kmem_free(cd->ckey, sizeof (crypto_key_t)); 220 cd->ckey = NULL; 221 } 222 223 if (cd->block != NULL) { 224 kmem_free(cd->block, cd->blocklen); 225 cd->block = NULL; 226 } 227 228 if (cd->saveblock != NULL) { 229 kmem_free(cd->saveblock, cd->blocklen); 230 cd->saveblock = NULL; 231 } 232 233 if (cd->ivec != NULL) { 234 kmem_free(cd->ivec, cd->ivlen); 235 cd->ivec = NULL; 236 } 237 238 if (cd->d_encr_key.ck_data != NULL) { 239 bzero(cd->d_encr_key.ck_data, cd->keylen); 240 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 241 } 242 243 if (cd->d_hmac_key.ck_data != NULL) { 244 bzero(cd->d_hmac_key.ck_data, cd->keylen); 245 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 246 } 247 248 if (cd->enc_tmpl != NULL) 249 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 250 251 if (cd->hmac_tmpl != NULL) 252 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 253 254 if (cd->ctx != NULL) { 255 crypto_cancel_ctx(cd->ctx); 256 cd->ctx = NULL; 257 } 258 } 259 260 /* ARGSUSED */ 261 static int 262 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp) 263 { 264 struct tmodinfo *tmi; 265 ASSERT(rq); 266 267 if (sflag != MODOPEN) 268 return (EINVAL); 269 270 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 271 "cryptmodopen: opening module(PID %d)", 272 ddi_get_pid())); 273 274 if (rq->q_ptr != NULL) { 275 cmn_err(CE_WARN, "cryptmodopen: already opened"); 276 return (0); 277 } 278 279 /* 280 * Allocate and initialize per-Stream structure. 281 */ 282 tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo), 283 KM_SLEEP); 284 285 tmi->enc_data.method = CRYPT_METHOD_NONE; 286 tmi->dec_data.method = CRYPT_METHOD_NONE; 287 288 tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY); 289 290 rq->q_ptr = WR(rq)->q_ptr = tmi; 291 292 sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC); 293 md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC); 294 sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1); 295 md5_hash_mech = crypto_mech2id(SUN_CKM_MD5); 296 297 qprocson(rq); 298 299 return (0); 300 } 301 302 static int 303 cryptmodclose(queue_t *rq) 304 { 305 struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr; 306 ASSERT(tmi); 307 308 qprocsoff(rq); 309 310 cleanup(&tmi->enc_data); 311 cleanup(&tmi->dec_data); 312 313 kmem_free(tmi, sizeof (struct tmodinfo)); 314 rq->q_ptr = WR(rq)->q_ptr = NULL; 315 316 return (0); 317 } 318 319 /* 320 * plaintext_offset 321 * 322 * Calculate exactly how much space is needed in front 323 * of the "plaintext" in an mbuf so it can be positioned 324 * 1 time instead of potentially moving the data multiple 325 * times. 326 */ 327 static int 328 plaintext_offset(struct cipher_data_t *cd) 329 { 330 int headspace = 0; 331 332 /* 4 byte length prepended to all RCMD msgs */ 333 if (ANY_RCMD_MODE(cd->option_mask)) 334 headspace += RCMD_LEN_SZ; 335 336 /* RCMD V2 mode adds an additional 4 byte plaintext length */ 337 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2) 338 headspace += RCMD_LEN_SZ; 339 340 /* Need extra space for hash and counfounder */ 341 switch (cd->method) { 342 case CRYPT_METHOD_DES_CBC_NULL: 343 headspace += null_hash.hash_len + null_hash.confound_len; 344 break; 345 case CRYPT_METHOD_DES_CBC_CRC: 346 headspace += crc32_hash.hash_len + crc32_hash.confound_len; 347 break; 348 case CRYPT_METHOD_DES_CBC_MD5: 349 headspace += md5_hash.hash_len + md5_hash.confound_len; 350 break; 351 case CRYPT_METHOD_DES3_CBC_SHA1: 352 headspace += sha1_hash.confound_len; 353 break; 354 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 355 headspace += md5_hash.hash_len + md5_hash.confound_len; 356 break; 357 case CRYPT_METHOD_AES128: 358 case CRYPT_METHOD_AES256: 359 headspace += DEFAULT_AES_BLOCKLEN; 360 break; 361 case CRYPT_METHOD_DES_CFB: 362 case CRYPT_METHOD_NONE: 363 break; 364 } 365 366 return (headspace); 367 } 368 /* 369 * encrypt_size 370 * 371 * Calculate the resulting size when encrypting 'plainlen' bytes 372 * of data. 373 */ 374 static size_t 375 encrypt_size(struct cipher_data_t *cd, size_t plainlen) 376 { 377 size_t cipherlen; 378 379 switch (cd->method) { 380 case CRYPT_METHOD_DES_CBC_NULL: 381 cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len + 382 plainlen, 8); 383 break; 384 case CRYPT_METHOD_DES_CBC_MD5: 385 cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len + 386 md5_hash.confound_len + 387 plainlen, 8); 388 break; 389 case CRYPT_METHOD_DES_CBC_CRC: 390 cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len + 391 crc32_hash.confound_len + 392 plainlen, 8); 393 break; 394 case CRYPT_METHOD_DES3_CBC_SHA1: 395 cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len + 396 plainlen, 8) + 397 sha1_hash.hash_len; 398 break; 399 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 400 cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len + 401 plainlen, 1) + md5_hash.hash_len; 402 break; 403 case CRYPT_METHOD_AES128: 404 case CRYPT_METHOD_AES256: 405 /* No roundup for AES-CBC-CTS */ 406 cipherlen = DEFAULT_AES_BLOCKLEN + plainlen + 407 AES_TRUNCATED_HMAC_LEN; 408 break; 409 case CRYPT_METHOD_DES_CFB: 410 case CRYPT_METHOD_NONE: 411 cipherlen = plainlen; 412 break; 413 } 414 415 return (cipherlen); 416 } 417 418 /* 419 * des_cfb_encrypt 420 * 421 * Encrypt the mblk data using DES with cipher feedback. 422 * 423 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit 424 * vector, D[n] is the nth chunk of 64 bits of data to encrypt 425 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted 426 * (decrypted) data, then: 427 * 428 * V[0] = DES(V[i], key) 429 * O[n] = D[n] <exclusive or > V[n] 430 * V[n+1] = DES(O[n], key) 431 * 432 * The size of the message being encrypted does not change in this 433 * algorithm, num_bytes in == num_bytes out. 434 */ 435 static mblk_t * 436 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 437 { 438 int savedbytes; 439 char *iptr, *optr, *lastoutput; 440 441 lastoutput = optr = (char *)mp->b_rptr; 442 iptr = (char *)mp->b_rptr; 443 savedbytes = tmi->enc_data.bytes % CFB_BLKSZ; 444 445 while (iptr < (char *)mp->b_wptr) { 446 /* 447 * Do DES-ECB. 448 * The first time this runs, the 'tmi->enc_data.block' will 449 * contain the initialization vector that should have been 450 * passed in with the SETUP ioctl. 451 * 452 * V[n] = DES(V[n-1], key) 453 */ 454 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 455 int retval = 0; 456 retval = kef_crypt(&tmi->enc_data, 457 tmi->enc_data.block, 458 CRYPTO_DATA_RAW, 459 tmi->enc_data.blocklen, 460 CRYPT_ENCRYPT); 461 462 if (retval != CRYPTO_SUCCESS) { 463 #ifdef DEBUG 464 cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt " 465 "failed - error 0x%0x", retval); 466 #endif 467 mp->b_datap->db_type = M_ERROR; 468 mp->b_rptr = mp->b_datap->db_base; 469 *mp->b_rptr = EIO; 470 mp->b_wptr = mp->b_rptr + sizeof (char); 471 freemsg(mp->b_cont); 472 mp->b_cont = NULL; 473 qreply(WR(q), mp); 474 return (NULL); 475 } 476 } 477 478 /* O[n] = I[n] ^ V[n] */ 479 *(optr++) = *(iptr++) ^ 480 tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ]; 481 482 tmi->enc_data.bytes++; 483 /* 484 * Feedback the encrypted output as the input to next DES call. 485 */ 486 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 487 char *dbptr = tmi->enc_data.block; 488 /* 489 * Get the last bits of input from the previous 490 * msg block that we haven't yet used as feedback input. 491 */ 492 if (savedbytes > 0) { 493 bcopy(tmi->enc_data.saveblock, 494 dbptr, (size_t)savedbytes); 495 dbptr += savedbytes; 496 } 497 498 /* 499 * Now copy the correct bytes from the current input 500 * stream and update the 'lastoutput' ptr 501 */ 502 bcopy(lastoutput, dbptr, 503 (size_t)(CFB_BLKSZ - savedbytes)); 504 505 lastoutput += (CFB_BLKSZ - savedbytes); 506 savedbytes = 0; 507 } 508 } 509 /* 510 * If there are bytes of input here that we need in the next 511 * block to build an ivec, save them off here. 512 */ 513 if (lastoutput < optr) { 514 bcopy(lastoutput, 515 tmi->enc_data.saveblock + savedbytes, 516 (uint_t)(optr - lastoutput)); 517 } 518 return (mp); 519 } 520 521 /* 522 * des_cfb_decrypt 523 * 524 * Decrypt the data in the mblk using DES in Cipher Feedback mode 525 * 526 * # bytes in == # bytes out, no padding, confounding, or hashing 527 * is added. 528 * 529 */ 530 static mblk_t * 531 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 532 { 533 uint_t len; 534 uint_t savedbytes; 535 char *iptr; 536 char *lastinput; 537 uint_t cp; 538 539 len = MBLKL(mp); 540 541 /* decrypted output goes into the new data buffer */ 542 lastinput = iptr = (char *)mp->b_rptr; 543 544 savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen; 545 546 /* 547 * Save the input CFB_BLKSZ bytes at a time. 548 * We are trying to decrypt in-place, but need to keep 549 * a small sliding window of encrypted text to be 550 * used to construct the feedback buffer. 551 */ 552 cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len : 553 tmi->dec_data.blocklen - savedbytes); 554 555 bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp); 556 savedbytes += cp; 557 558 lastinput += cp; 559 560 while (iptr < (char *)mp->b_wptr) { 561 /* 562 * Do DES-ECB. 563 * The first time this runs, the 'tmi->dec_data.block' will 564 * contain the initialization vector that should have been 565 * passed in with the SETUP ioctl. 566 */ 567 if (!(tmi->dec_data.bytes % CFB_BLKSZ)) { 568 int retval; 569 retval = kef_crypt(&tmi->dec_data, 570 tmi->dec_data.block, 571 CRYPTO_DATA_RAW, 572 tmi->dec_data.blocklen, 573 CRYPT_ENCRYPT); 574 575 if (retval != CRYPTO_SUCCESS) { 576 #ifdef DEBUG 577 cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt " 578 "failed - status 0x%0x", retval); 579 #endif 580 mp->b_datap->db_type = M_ERROR; 581 mp->b_rptr = mp->b_datap->db_base; 582 *mp->b_rptr = EIO; 583 mp->b_wptr = mp->b_rptr + sizeof (char); 584 freemsg(mp->b_cont); 585 mp->b_cont = NULL; 586 qreply(WR(q), mp); 587 return (NULL); 588 } 589 } 590 591 /* 592 * To decrypt, XOR the input with the output from the DES call 593 */ 594 *(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes % 595 CFB_BLKSZ]; 596 597 tmi->dec_data.bytes++; 598 599 /* 600 * Feedback the encrypted input for next DES call. 601 */ 602 if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) { 603 char *dbptr = tmi->dec_data.block; 604 /* 605 * Get the last bits of input from the previous block 606 * that we haven't yet processed. 607 */ 608 if (savedbytes > 0) { 609 bcopy(tmi->dec_data.saveblock, 610 dbptr, savedbytes); 611 dbptr += savedbytes; 612 } 613 614 savedbytes = 0; 615 616 /* 617 * This block makes sure that our local 618 * buffer of input data is full and can 619 * be accessed from the beginning. 620 */ 621 if (lastinput < (char *)mp->b_wptr) { 622 623 /* How many bytes are left in the mblk? */ 624 cp = (((char *)mp->b_wptr - lastinput) > 625 tmi->dec_data.blocklen ? 626 tmi->dec_data.blocklen : 627 (char *)mp->b_wptr - lastinput); 628 629 /* copy what we need */ 630 bcopy(lastinput, tmi->dec_data.saveblock, 631 cp); 632 633 lastinput += cp; 634 savedbytes = cp; 635 } 636 } 637 } 638 639 return (mp); 640 } 641 642 /* 643 * crc32_calc 644 * 645 * Compute a CRC32 checksum on the input 646 */ 647 static int 648 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len) 649 { 650 uint32_t crc; 651 652 CRC32(crc, input, len, 0, crc32_table); 653 654 buf[0] = (uchar_t)(crc & 0xff); 655 buf[1] = (uchar_t)((crc >> 8) & 0xff); 656 buf[2] = (uchar_t)((crc >> 16) & 0xff); 657 buf[3] = (uchar_t)((crc >> 24) & 0xff); 658 659 return (CRYPTO_SUCCESS); 660 } 661 662 static int 663 kef_digest(crypto_mech_type_t digest_type, 664 uchar_t *input, uint_t inlen, 665 uchar_t *output, uint_t hashlen) 666 { 667 iovec_t v1, v2; 668 crypto_data_t d1, d2; 669 crypto_mechanism_t mech; 670 int rv; 671 672 mech.cm_type = digest_type; 673 mech.cm_param = 0; 674 mech.cm_param_len = 0; 675 676 v1.iov_base = (void *)input; 677 v1.iov_len = inlen; 678 679 d1.cd_format = CRYPTO_DATA_RAW; 680 d1.cd_offset = 0; 681 d1.cd_length = v1.iov_len; 682 d1.cd_raw = v1; 683 684 v2.iov_base = (void *)output; 685 v2.iov_len = hashlen; 686 687 d2.cd_format = CRYPTO_DATA_RAW; 688 d2.cd_offset = 0; 689 d2.cd_length = v2.iov_len; 690 d2.cd_raw = v2; 691 692 rv = crypto_digest(&mech, &d1, &d2, NULL); 693 694 return (rv); 695 } 696 697 /* 698 * sha1_calc 699 * 700 * Get a SHA1 hash on the input data. 701 */ 702 static int 703 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen) 704 { 705 int rv; 706 707 rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE); 708 709 return (rv); 710 } 711 712 /* 713 * Get an MD5 hash on the input data. 714 * md5_calc 715 * 716 */ 717 static int 718 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen) 719 { 720 int rv; 721 722 rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE); 723 724 return (rv); 725 } 726 727 /* 728 * nfold 729 * duplicate the functionality of the krb5_nfold function from 730 * the userland kerberos mech. 731 * This is needed to derive keys for use with 3DES/SHA1-HMAC 732 * ciphers. 733 */ 734 static void 735 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out) 736 { 737 int a, b, c, lcm; 738 int byte, i, msbit; 739 740 inbits >>= 3; 741 outbits >>= 3; 742 743 /* first compute lcm(n,k) */ 744 a = outbits; 745 b = inbits; 746 747 while (b != 0) { 748 c = b; 749 b = a%b; 750 a = c; 751 } 752 753 lcm = outbits*inbits/a; 754 755 /* now do the real work */ 756 757 bzero(out, outbits); 758 byte = 0; 759 760 /* 761 * Compute the msbit in k which gets added into this byte 762 * first, start with the msbit in the first, unrotated byte 763 * then, for each byte, shift to the right for each repetition 764 * last, pick out the correct byte within that shifted repetition 765 */ 766 for (i = lcm-1; i >= 0; i--) { 767 msbit = (((inbits<<3)-1) 768 +(((inbits<<3)+13)*(i/inbits)) 769 +((inbits-(i%inbits))<<3)) %(inbits<<3); 770 771 /* pull out the byte value itself */ 772 byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)| 773 (in[((inbits)-(msbit>>3))%inbits])) 774 >>((msbit&7)+1))&0xff; 775 776 /* do the addition */ 777 byte += out[i%outbits]; 778 out[i%outbits] = byte&0xff; 779 780 byte >>= 8; 781 } 782 783 /* if there's a carry bit left over, add it back in */ 784 if (byte) { 785 for (i = outbits-1; i >= 0; i--) { 786 /* do the addition */ 787 byte += out[i]; 788 out[i] = byte&0xff; 789 790 /* keep around the carry bit, if any */ 791 byte >>= 8; 792 } 793 } 794 } 795 796 #define smask(step) ((1<<step)-1) 797 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step))) 798 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1) 799 800 /* 801 * Duplicate the functionality of the "dk_derive_key" function 802 * in the Kerberos mechanism. 803 */ 804 static int 805 derive_key(struct cipher_data_t *cdata, uchar_t *constdata, 806 int constlen, char *dkey, int keybytes, 807 int blocklen) 808 { 809 int rv = 0; 810 int n = 0, i; 811 char *inblock; 812 char *rawkey; 813 char *zeroblock; 814 char *saveblock; 815 816 inblock = kmem_zalloc(blocklen, KM_SLEEP); 817 rawkey = kmem_zalloc(keybytes, KM_SLEEP); 818 zeroblock = kmem_zalloc(blocklen, KM_SLEEP); 819 820 if (constlen == blocklen) 821 bcopy(constdata, inblock, blocklen); 822 else 823 nfold(constlen * 8, constdata, 824 blocklen * 8, (uchar_t *)inblock); 825 826 /* 827 * zeroblock is an IV of all 0's. 828 * 829 * The "block" section of the cdata record is used as the 830 * IV for crypto operations in the kef_crypt function. 831 * 832 * We use 'block' as a generic IV data buffer because it 833 * is attached to the stream state data and thus can 834 * be used to hold information that must carry over 835 * from processing of one mblk to another. 836 * 837 * Here, we save the current IV and replace it with 838 * and empty IV (all 0's) for use when deriving the 839 * keys. Once the key derivation is done, we swap the 840 * old IV back into place. 841 */ 842 saveblock = cdata->block; 843 cdata->block = zeroblock; 844 845 while (n < keybytes) { 846 rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW, 847 blocklen, CRYPT_ENCRYPT); 848 if (rv != CRYPTO_SUCCESS) { 849 /* put the original IV block back in place */ 850 cdata->block = saveblock; 851 cmn_err(CE_WARN, "failed to derive a key: %0x", rv); 852 goto cleanup; 853 } 854 855 if (keybytes - n < blocklen) { 856 bcopy(inblock, rawkey+n, (keybytes-n)); 857 break; 858 } 859 bcopy(inblock, rawkey+n, blocklen); 860 n += blocklen; 861 } 862 /* put the original IV block back in place */ 863 cdata->block = saveblock; 864 865 /* finally, make the key */ 866 if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) { 867 /* 868 * 3DES key derivation requires that we make sure the 869 * key has the proper parity. 870 */ 871 for (i = 0; i < 3; i++) { 872 bcopy(rawkey+(i*7), dkey+(i*8), 7); 873 874 /* 'dkey' is our derived key output buffer */ 875 dkey[i*8+7] = (((dkey[i*8]&1)<<1) | 876 ((dkey[i*8+1]&1)<<2) | 877 ((dkey[i*8+2]&1)<<3) | 878 ((dkey[i*8+3]&1)<<4) | 879 ((dkey[i*8+4]&1)<<5) | 880 ((dkey[i*8+5]&1)<<6) | 881 ((dkey[i*8+6]&1)<<7)); 882 883 for (n = 0; n < 8; n++) { 884 dkey[i*8 + n] &= 0xfe; 885 dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]); 886 } 887 } 888 } else if (IS_AES_METHOD(cdata->method)) { 889 bcopy(rawkey, dkey, keybytes); 890 } 891 cleanup: 892 kmem_free(inblock, blocklen); 893 kmem_free(zeroblock, blocklen); 894 kmem_free(rawkey, keybytes); 895 return (rv); 896 } 897 898 /* 899 * create_derived_keys 900 * 901 * Algorithm for deriving a new key and an HMAC key 902 * before computing the 3DES-SHA1-HMAC operation on the plaintext 903 * This algorithm matches the work done by Kerberos mechanism 904 * in userland. 905 */ 906 static int 907 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage, 908 crypto_key_t *enckey, crypto_key_t *hmackey) 909 { 910 uchar_t constdata[K5CLENGTH]; 911 int keybytes; 912 int rv; 913 914 constdata[0] = (usage>>24)&0xff; 915 constdata[1] = (usage>>16)&0xff; 916 constdata[2] = (usage>>8)&0xff; 917 constdata[3] = usage & 0xff; 918 /* Use "0xAA" for deriving encryption key */ 919 constdata[4] = 0xAA; /* from MIT Kerberos code */ 920 921 enckey->ck_length = cdata->keylen * 8; 922 enckey->ck_format = CRYPTO_KEY_RAW; 923 enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 924 925 switch (cdata->method) { 926 case CRYPT_METHOD_DES_CFB: 927 case CRYPT_METHOD_DES_CBC_NULL: 928 case CRYPT_METHOD_DES_CBC_MD5: 929 case CRYPT_METHOD_DES_CBC_CRC: 930 keybytes = 8; 931 break; 932 case CRYPT_METHOD_DES3_CBC_SHA1: 933 keybytes = CRYPT_DES3_KEYBYTES; 934 break; 935 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 936 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 937 keybytes = CRYPT_ARCFOUR_KEYBYTES; 938 break; 939 case CRYPT_METHOD_AES128: 940 keybytes = CRYPT_AES128_KEYBYTES; 941 break; 942 case CRYPT_METHOD_AES256: 943 keybytes = CRYPT_AES256_KEYBYTES; 944 break; 945 } 946 947 /* derive main crypto key */ 948 rv = derive_key(cdata, constdata, sizeof (constdata), 949 enckey->ck_data, keybytes, cdata->blocklen); 950 951 if (rv == CRYPTO_SUCCESS) { 952 953 /* Use "0x55" for deriving mac key */ 954 constdata[4] = 0x55; 955 956 hmackey->ck_length = cdata->keylen * 8; 957 hmackey->ck_format = CRYPTO_KEY_RAW; 958 hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 959 960 rv = derive_key(cdata, constdata, sizeof (constdata), 961 hmackey->ck_data, keybytes, 962 cdata->blocklen); 963 } else { 964 cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv); 965 } 966 967 return (rv); 968 } 969 970 /* 971 * Compute 3-DES crypto and HMAC. 972 */ 973 static int 974 kef_decr_hmac(struct cipher_data_t *cdata, 975 mblk_t *mp, int length, 976 char *hmac, int hmaclen) 977 { 978 int rv = CRYPTO_FAILED; 979 980 crypto_mechanism_t encr_mech; 981 crypto_mechanism_t mac_mech; 982 crypto_data_t dd; 983 crypto_data_t mac; 984 iovec_t v1; 985 986 ASSERT(cdata != NULL); 987 ASSERT(mp != NULL); 988 ASSERT(hmac != NULL); 989 990 bzero(&dd, sizeof (dd)); 991 dd.cd_format = CRYPTO_DATA_MBLK; 992 dd.cd_offset = 0; 993 dd.cd_length = length; 994 dd.cd_mp = mp; 995 996 v1.iov_base = hmac; 997 v1.iov_len = hmaclen; 998 999 mac.cd_format = CRYPTO_DATA_RAW; 1000 mac.cd_offset = 0; 1001 mac.cd_length = hmaclen; 1002 mac.cd_raw = v1; 1003 1004 /* 1005 * cdata->block holds the IVEC 1006 */ 1007 encr_mech.cm_type = cdata->mech_type; 1008 encr_mech.cm_param = cdata->block; 1009 1010 if (cdata->block != NULL) 1011 encr_mech.cm_param_len = cdata->blocklen; 1012 else 1013 encr_mech.cm_param_len = 0; 1014 1015 rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key, 1016 cdata->enc_tmpl, NULL, NULL); 1017 if (rv != CRYPTO_SUCCESS) { 1018 cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv); 1019 return (rv); 1020 } 1021 1022 mac_mech.cm_type = sha1_hmac_mech; 1023 mac_mech.cm_param = NULL; 1024 mac_mech.cm_param_len = 0; 1025 1026 /* 1027 * Compute MAC of the plaintext decrypted above. 1028 */ 1029 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1030 cdata->hmac_tmpl, &mac, NULL); 1031 1032 if (rv != CRYPTO_SUCCESS) { 1033 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1034 } 1035 1036 return (rv); 1037 } 1038 1039 /* 1040 * Compute 3-DES crypto and HMAC. 1041 */ 1042 static int 1043 kef_encr_hmac(struct cipher_data_t *cdata, 1044 mblk_t *mp, int length, 1045 char *hmac, int hmaclen) 1046 { 1047 int rv = CRYPTO_FAILED; 1048 1049 crypto_mechanism_t encr_mech; 1050 crypto_mechanism_t mac_mech; 1051 crypto_data_t dd; 1052 crypto_data_t mac; 1053 iovec_t v1; 1054 1055 ASSERT(cdata != NULL); 1056 ASSERT(mp != NULL); 1057 ASSERT(hmac != NULL); 1058 1059 bzero(&dd, sizeof (dd)); 1060 dd.cd_format = CRYPTO_DATA_MBLK; 1061 dd.cd_offset = 0; 1062 dd.cd_length = length; 1063 dd.cd_mp = mp; 1064 1065 v1.iov_base = hmac; 1066 v1.iov_len = hmaclen; 1067 1068 mac.cd_format = CRYPTO_DATA_RAW; 1069 mac.cd_offset = 0; 1070 mac.cd_length = hmaclen; 1071 mac.cd_raw = v1; 1072 1073 /* 1074 * cdata->block holds the IVEC 1075 */ 1076 encr_mech.cm_type = cdata->mech_type; 1077 encr_mech.cm_param = cdata->block; 1078 1079 if (cdata->block != NULL) 1080 encr_mech.cm_param_len = cdata->blocklen; 1081 else 1082 encr_mech.cm_param_len = 0; 1083 1084 mac_mech.cm_type = sha1_hmac_mech; 1085 mac_mech.cm_param = NULL; 1086 mac_mech.cm_param_len = 0; 1087 1088 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1089 cdata->hmac_tmpl, &mac, NULL); 1090 1091 if (rv != CRYPTO_SUCCESS) { 1092 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1093 return (rv); 1094 } 1095 1096 rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key, 1097 cdata->enc_tmpl, NULL, NULL); 1098 if (rv != CRYPTO_SUCCESS) { 1099 cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv); 1100 } 1101 1102 return (rv); 1103 } 1104 1105 /* 1106 * kef_crypt 1107 * 1108 * Use the Kernel encryption framework to provide the 1109 * crypto operations for the indicated data. 1110 */ 1111 static int 1112 kef_crypt(struct cipher_data_t *cdata, 1113 void *indata, crypto_data_format_t fmt, 1114 size_t length, int mode) 1115 { 1116 int rv = CRYPTO_FAILED; 1117 1118 crypto_mechanism_t mech; 1119 crypto_key_t crkey; 1120 iovec_t v1; 1121 crypto_data_t d1; 1122 1123 ASSERT(cdata != NULL); 1124 ASSERT(indata != NULL); 1125 ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK); 1126 1127 bzero(&crkey, sizeof (crkey)); 1128 bzero(&d1, sizeof (d1)); 1129 1130 crkey.ck_format = CRYPTO_KEY_RAW; 1131 crkey.ck_data = cdata->key; 1132 1133 /* keys are measured in bits, not bytes, so multiply by 8 */ 1134 crkey.ck_length = cdata->keylen * 8; 1135 1136 if (fmt == CRYPTO_DATA_RAW) { 1137 v1.iov_base = (char *)indata; 1138 v1.iov_len = length; 1139 } 1140 1141 d1.cd_format = fmt; 1142 d1.cd_offset = 0; 1143 d1.cd_length = length; 1144 if (fmt == CRYPTO_DATA_RAW) 1145 d1.cd_raw = v1; 1146 else if (fmt == CRYPTO_DATA_MBLK) 1147 d1.cd_mp = (mblk_t *)indata; 1148 1149 mech.cm_type = cdata->mech_type; 1150 mech.cm_param = cdata->block; 1151 /* 1152 * cdata->block holds the IVEC 1153 */ 1154 if (cdata->block != NULL) 1155 mech.cm_param_len = cdata->blocklen; 1156 else 1157 mech.cm_param_len = 0; 1158 1159 /* 1160 * encrypt and decrypt in-place 1161 */ 1162 if (mode == CRYPT_ENCRYPT) 1163 rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1164 else 1165 rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1166 1167 if (rv != CRYPTO_SUCCESS) { 1168 cmn_err(CE_WARN, "%s returned error %08x", 1169 (mode == CRYPT_ENCRYPT ? "crypto_encrypt" : 1170 "crypto_decrypt"), rv); 1171 return (CRYPTO_FAILED); 1172 } 1173 1174 return (rv); 1175 } 1176 1177 static int 1178 do_hmac(crypto_mech_type_t mech, 1179 crypto_key_t *key, 1180 char *data, int datalen, 1181 char *hmac, int hmaclen) 1182 { 1183 int rv = 0; 1184 crypto_mechanism_t mac_mech; 1185 crypto_data_t dd; 1186 crypto_data_t mac; 1187 iovec_t vdata, vmac; 1188 1189 mac_mech.cm_type = mech; 1190 mac_mech.cm_param = NULL; 1191 mac_mech.cm_param_len = 0; 1192 1193 vdata.iov_base = data; 1194 vdata.iov_len = datalen; 1195 1196 bzero(&dd, sizeof (dd)); 1197 dd.cd_format = CRYPTO_DATA_RAW; 1198 dd.cd_offset = 0; 1199 dd.cd_length = datalen; 1200 dd.cd_raw = vdata; 1201 1202 vmac.iov_base = hmac; 1203 vmac.iov_len = hmaclen; 1204 1205 mac.cd_format = CRYPTO_DATA_RAW; 1206 mac.cd_offset = 0; 1207 mac.cd_length = hmaclen; 1208 mac.cd_raw = vmac; 1209 1210 /* 1211 * Compute MAC of the plaintext decrypted above. 1212 */ 1213 rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL); 1214 1215 if (rv != CRYPTO_SUCCESS) { 1216 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1217 } 1218 1219 return (rv); 1220 } 1221 1222 #define XOR_BLOCK(src, dst) \ 1223 (dst)[0] ^= (src)[0]; \ 1224 (dst)[1] ^= (src)[1]; \ 1225 (dst)[2] ^= (src)[2]; \ 1226 (dst)[3] ^= (src)[3]; \ 1227 (dst)[4] ^= (src)[4]; \ 1228 (dst)[5] ^= (src)[5]; \ 1229 (dst)[6] ^= (src)[6]; \ 1230 (dst)[7] ^= (src)[7]; \ 1231 (dst)[8] ^= (src)[8]; \ 1232 (dst)[9] ^= (src)[9]; \ 1233 (dst)[10] ^= (src)[10]; \ 1234 (dst)[11] ^= (src)[11]; \ 1235 (dst)[12] ^= (src)[12]; \ 1236 (dst)[13] ^= (src)[13]; \ 1237 (dst)[14] ^= (src)[14]; \ 1238 (dst)[15] ^= (src)[15] 1239 1240 #define xorblock(x, y) XOR_BLOCK(y, x) 1241 1242 static int 1243 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length) 1244 { 1245 int result = CRYPTO_SUCCESS; 1246 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1247 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1248 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1249 int nblocks = 0, blockno; 1250 crypto_data_t ct, pt; 1251 crypto_mechanism_t mech; 1252 1253 mech.cm_type = tmi->enc_data.mech_type; 1254 if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) { 1255 bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1256 mech.cm_param = tmi->enc_data.ivec; 1257 mech.cm_param_len = tmi->enc_data.ivlen; 1258 } else { 1259 bzero(tmp, sizeof (tmp)); 1260 mech.cm_param = NULL; 1261 mech.cm_param_len = 0; 1262 } 1263 1264 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1265 1266 bzero(&ct, sizeof (crypto_data_t)); 1267 bzero(&pt, sizeof (crypto_data_t)); 1268 1269 if (nblocks == 1) { 1270 pt.cd_format = CRYPTO_DATA_RAW; 1271 pt.cd_length = length; 1272 pt.cd_raw.iov_base = (char *)plain; 1273 pt.cd_raw.iov_len = length; 1274 1275 result = crypto_encrypt(&mech, &pt, 1276 &tmi->enc_data.d_encr_key, NULL, NULL, NULL); 1277 1278 if (result != CRYPTO_SUCCESS) { 1279 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1280 "crypto_encrypt failed: %0x", result); 1281 } 1282 } else { 1283 size_t nleft; 1284 1285 ct.cd_format = CRYPTO_DATA_RAW; 1286 ct.cd_offset = 0; 1287 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1288 1289 pt.cd_format = CRYPTO_DATA_RAW; 1290 pt.cd_offset = 0; 1291 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1292 1293 result = crypto_encrypt_init(&mech, 1294 &tmi->enc_data.d_encr_key, 1295 tmi->enc_data.enc_tmpl, 1296 &tmi->enc_data.ctx, NULL); 1297 1298 if (result != CRYPTO_SUCCESS) { 1299 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1300 "crypto_encrypt_init failed: %0x", result); 1301 goto cleanup; 1302 } 1303 1304 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1305 xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN); 1306 1307 pt.cd_raw.iov_base = (char *)tmp; 1308 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1309 1310 ct.cd_raw.iov_base = (char *)plain + 1311 blockno * DEFAULT_AES_BLOCKLEN; 1312 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1313 1314 result = crypto_encrypt_update(tmi->enc_data.ctx, 1315 &pt, &ct, NULL); 1316 1317 if (result != CRYPTO_SUCCESS) { 1318 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1319 "crypto_encrypt_update failed: %0x", 1320 result); 1321 goto cleanup; 1322 } 1323 /* copy result over original bytes */ 1324 /* make another copy for the next XOR step */ 1325 bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN, 1326 tmp, DEFAULT_AES_BLOCKLEN); 1327 } 1328 /* XOR cipher text from n-3 with plain text from n-2 */ 1329 xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1330 1331 pt.cd_raw.iov_base = (char *)tmp; 1332 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1333 1334 ct.cd_raw.iov_base = (char *)tmp2; 1335 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1336 1337 /* encrypt XOR-ed block N-2 */ 1338 result = crypto_encrypt_update(tmi->enc_data.ctx, 1339 &pt, &ct, NULL); 1340 if (result != CRYPTO_SUCCESS) { 1341 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1342 "crypto_encrypt_update(2) failed: %0x", 1343 result); 1344 goto cleanup; 1345 } 1346 nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN; 1347 1348 bzero(tmp3, sizeof (tmp3)); 1349 /* Save final plaintext bytes from n-1 */ 1350 bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1351 nleft); 1352 1353 /* Overwrite n-1 with cipher text from n-2 */ 1354 bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1355 nleft); 1356 1357 bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN); 1358 /* XOR cipher text from n-1 with plain text from n-1 */ 1359 xorblock(tmp, tmp3); 1360 1361 pt.cd_raw.iov_base = (char *)tmp; 1362 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1363 1364 ct.cd_raw.iov_base = (char *)tmp2; 1365 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1366 1367 /* encrypt block N-2 */ 1368 result = crypto_encrypt_update(tmi->enc_data.ctx, 1369 &pt, &ct, NULL); 1370 1371 if (result != CRYPTO_SUCCESS) { 1372 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1373 "crypto_encrypt_update(3) failed: %0x", 1374 result); 1375 goto cleanup; 1376 } 1377 1378 bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1379 DEFAULT_AES_BLOCKLEN); 1380 1381 1382 ct.cd_raw.iov_base = (char *)tmp2; 1383 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1384 1385 /* 1386 * Ignore the output on the final step. 1387 */ 1388 result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL); 1389 if (result != CRYPTO_SUCCESS) { 1390 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1391 "crypto_encrypt_final(3) failed: %0x", 1392 result); 1393 } 1394 tmi->enc_data.ctx = NULL; 1395 } 1396 cleanup: 1397 bzero(tmp, sizeof (tmp)); 1398 bzero(tmp2, sizeof (tmp)); 1399 bzero(tmp3, sizeof (tmp)); 1400 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 1401 return (result); 1402 } 1403 1404 static int 1405 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length) 1406 { 1407 int result = CRYPTO_SUCCESS; 1408 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1409 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1410 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1411 int nblocks = 0, blockno; 1412 crypto_data_t ct, pt; 1413 crypto_mechanism_t mech; 1414 1415 mech.cm_type = tmi->enc_data.mech_type; 1416 1417 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1418 tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) { 1419 bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1420 mech.cm_param = tmi->dec_data.ivec; 1421 mech.cm_param_len = tmi->dec_data.ivlen; 1422 } else { 1423 bzero(tmp, sizeof (tmp)); 1424 mech.cm_param_len = 0; 1425 mech.cm_param = NULL; 1426 } 1427 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1428 1429 bzero(&pt, sizeof (pt)); 1430 bzero(&ct, sizeof (ct)); 1431 1432 if (nblocks == 1) { 1433 ct.cd_format = CRYPTO_DATA_RAW; 1434 ct.cd_length = length; 1435 ct.cd_raw.iov_base = (char *)buff; 1436 ct.cd_raw.iov_len = length; 1437 1438 result = crypto_decrypt(&mech, &ct, 1439 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1440 1441 if (result != CRYPTO_SUCCESS) { 1442 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1443 "crypto_decrypt failed: %0x", result); 1444 goto cleanup; 1445 } 1446 } else { 1447 ct.cd_format = CRYPTO_DATA_RAW; 1448 ct.cd_offset = 0; 1449 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1450 1451 pt.cd_format = CRYPTO_DATA_RAW; 1452 pt.cd_offset = 0; 1453 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1454 1455 result = crypto_encrypt_init(&mech, 1456 &tmi->dec_data.d_encr_key, 1457 tmi->dec_data.enc_tmpl, 1458 &tmi->dec_data.ctx, NULL); 1459 1460 if (result != CRYPTO_SUCCESS) { 1461 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1462 "crypto_decrypt_init failed: %0x", result); 1463 goto cleanup; 1464 } 1465 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1466 ct.cd_raw.iov_base = (char *)buff + 1467 (blockno * DEFAULT_AES_BLOCKLEN); 1468 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1469 1470 pt.cd_raw.iov_base = (char *)tmp2; 1471 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1472 1473 /* 1474 * Save the input to the decrypt so it can 1475 * be used later for an XOR operation 1476 */ 1477 bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN), 1478 tmi->dec_data.block, DEFAULT_AES_BLOCKLEN); 1479 1480 result = crypto_decrypt_update(tmi->dec_data.ctx, 1481 &ct, &pt, NULL); 1482 if (result != CRYPTO_SUCCESS) { 1483 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1484 "crypto_decrypt_update(1) error - " 1485 "result = 0x%08x", result); 1486 goto cleanup; 1487 } 1488 xorblock(tmp2, tmp); 1489 bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN, 1490 DEFAULT_AES_BLOCKLEN); 1491 /* 1492 * The original cipher text is used as the xor 1493 * for the next block, save it here. 1494 */ 1495 bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN); 1496 } 1497 ct.cd_raw.iov_base = (char *)buff + 1498 ((nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1499 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1500 pt.cd_raw.iov_base = (char *)tmp2; 1501 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1502 1503 result = crypto_decrypt_update(tmi->dec_data.ctx, 1504 &ct, &pt, NULL); 1505 if (result != CRYPTO_SUCCESS) { 1506 cmn_err(CE_WARN, 1507 "aes_cbc_cts_decrypt: " 1508 "crypto_decrypt_update(2) error -" 1509 " result = 0x%08x", result); 1510 goto cleanup; 1511 } 1512 bzero(tmp3, sizeof (tmp3)); 1513 bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1514 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1515 1516 xorblock(tmp2, tmp3); 1517 bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1518 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1519 1520 /* 2nd to last block ... */ 1521 bcopy(tmp3, tmp2, 1522 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1523 1524 ct.cd_raw.iov_base = (char *)tmp2; 1525 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1526 pt.cd_raw.iov_base = (char *)tmp3; 1527 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1528 1529 result = crypto_decrypt_update(tmi->dec_data.ctx, 1530 &ct, &pt, NULL); 1531 if (result != CRYPTO_SUCCESS) { 1532 cmn_err(CE_WARN, 1533 "aes_cbc_cts_decrypt: " 1534 "crypto_decrypt_update(3) error - " 1535 "result = 0x%08x", result); 1536 goto cleanup; 1537 } 1538 xorblock(tmp3, tmp); 1539 1540 1541 /* Finally, update the 2nd to last block and we are done. */ 1542 bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1543 DEFAULT_AES_BLOCKLEN); 1544 1545 /* Do Final step, but ignore output */ 1546 pt.cd_raw.iov_base = (char *)tmp2; 1547 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1548 result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL); 1549 if (result != CRYPTO_SUCCESS) { 1550 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1551 "crypto_decrypt_final error - " 1552 "result = 0x%0x", result); 1553 } 1554 tmi->dec_data.ctx = NULL; 1555 } 1556 1557 cleanup: 1558 bzero(tmp, sizeof (tmp)); 1559 bzero(tmp2, sizeof (tmp)); 1560 bzero(tmp3, sizeof (tmp)); 1561 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 1562 return (result); 1563 } 1564 1565 /* 1566 * AES decrypt 1567 * 1568 * format of ciphertext when using AES 1569 * +-------------+------------+------------+ 1570 * | confounder | msg-data | hmac | 1571 * +-------------+------------+------------+ 1572 */ 1573 static mblk_t * 1574 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1575 hash_info_t *hash) 1576 { 1577 int result; 1578 size_t enclen; 1579 size_t inlen; 1580 uchar_t hmacbuff[64]; 1581 uchar_t tmpiv[DEFAULT_AES_BLOCKLEN]; 1582 1583 inlen = (size_t)MBLKL(mp); 1584 1585 enclen = inlen - AES_TRUNCATED_HMAC_LEN; 1586 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1587 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) { 1588 int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) / 1589 DEFAULT_AES_BLOCKLEN; 1590 bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2), 1591 tmpiv, DEFAULT_AES_BLOCKLEN); 1592 } 1593 1594 /* AES Decrypt */ 1595 result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen); 1596 1597 if (result != CRYPTO_SUCCESS) { 1598 cmn_err(CE_WARN, 1599 "aes_decrypt: aes_cbc_cts_decrypt " 1600 "failed - error %0x", result); 1601 goto cleanup; 1602 } 1603 1604 /* Verify the HMAC */ 1605 result = do_hmac(sha1_hmac_mech, 1606 &tmi->dec_data.d_hmac_key, 1607 (char *)mp->b_rptr, enclen, 1608 (char *)hmacbuff, hash->hash_len); 1609 1610 if (result != CRYPTO_SUCCESS) { 1611 cmn_err(CE_WARN, 1612 "aes_decrypt: do_hmac failed - error %0x", result); 1613 goto cleanup; 1614 } 1615 1616 if (bcmp(hmacbuff, mp->b_rptr + enclen, 1617 AES_TRUNCATED_HMAC_LEN) != 0) { 1618 result = -1; 1619 cmn_err(CE_WARN, "aes_decrypt: checksum verification failed"); 1620 goto cleanup; 1621 } 1622 1623 /* truncate the mblk at the end of the decrypted text */ 1624 mp->b_wptr = mp->b_rptr + enclen; 1625 1626 /* Adjust the beginning of the buffer to skip the confounder */ 1627 mp->b_rptr += DEFAULT_AES_BLOCKLEN; 1628 1629 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1630 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) 1631 bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN); 1632 1633 cleanup: 1634 if (result != CRYPTO_SUCCESS) { 1635 mp->b_datap->db_type = M_ERROR; 1636 mp->b_rptr = mp->b_datap->db_base; 1637 *mp->b_rptr = EIO; 1638 mp->b_wptr = mp->b_rptr + sizeof (char); 1639 freemsg(mp->b_cont); 1640 mp->b_cont = NULL; 1641 qreply(WR(q), mp); 1642 return (NULL); 1643 } 1644 return (mp); 1645 } 1646 1647 /* 1648 * AES encrypt 1649 * 1650 * format of ciphertext when using AES 1651 * +-------------+------------+------------+ 1652 * | confounder | msg-data | hmac | 1653 * +-------------+------------+------------+ 1654 */ 1655 static mblk_t * 1656 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1657 hash_info_t *hash) 1658 { 1659 int result; 1660 size_t cipherlen; 1661 size_t inlen; 1662 uchar_t hmacbuff[64]; 1663 1664 inlen = (size_t)MBLKL(mp); 1665 1666 cipherlen = encrypt_size(&tmi->enc_data, inlen); 1667 1668 ASSERT(MBLKSIZE(mp) >= cipherlen); 1669 1670 /* 1671 * Shift the rptr back enough to insert the confounder. 1672 */ 1673 mp->b_rptr -= DEFAULT_AES_BLOCKLEN; 1674 1675 /* Get random data for confounder */ 1676 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 1677 DEFAULT_AES_BLOCKLEN); 1678 1679 /* 1680 * Because we encrypt in-place, we need to calculate 1681 * the HMAC of the plaintext now, then stick it on 1682 * the end of the ciphertext down below. 1683 */ 1684 result = do_hmac(sha1_hmac_mech, 1685 &tmi->enc_data.d_hmac_key, 1686 (char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen, 1687 (char *)hmacbuff, hash->hash_len); 1688 1689 if (result != CRYPTO_SUCCESS) { 1690 cmn_err(CE_WARN, "aes_encrypt: do_hmac failed - error %0x", 1691 result); 1692 goto cleanup; 1693 } 1694 /* Encrypt using AES-CBC-CTS */ 1695 result = aes_cbc_cts_encrypt(tmi, mp->b_rptr, 1696 inlen + DEFAULT_AES_BLOCKLEN); 1697 1698 if (result != CRYPTO_SUCCESS) { 1699 cmn_err(CE_WARN, "aes_encrypt: aes_cbc_cts_encrypt " 1700 "failed - error %0x", result); 1701 goto cleanup; 1702 } 1703 1704 /* copy the truncated HMAC to the end of the mblk */ 1705 bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen, 1706 AES_TRUNCATED_HMAC_LEN); 1707 1708 mp->b_wptr = mp->b_rptr + cipherlen; 1709 1710 /* 1711 * The final block of cipher text (not the HMAC) is used 1712 * as the next IV. 1713 */ 1714 if (tmi->enc_data.ivec_usage != IVEC_NEVER && 1715 tmi->enc_data.ivec != NULL) { 1716 int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) / 1717 DEFAULT_AES_BLOCKLEN; 1718 1719 bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1720 tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN); 1721 } 1722 1723 cleanup: 1724 if (result != CRYPTO_SUCCESS) { 1725 mp->b_datap->db_type = M_ERROR; 1726 mp->b_rptr = mp->b_datap->db_base; 1727 *mp->b_rptr = EIO; 1728 mp->b_wptr = mp->b_rptr + sizeof (char); 1729 freemsg(mp->b_cont); 1730 mp->b_cont = NULL; 1731 qreply(WR(q), mp); 1732 return (NULL); 1733 } 1734 return (mp); 1735 } 1736 1737 /* 1738 * ARCFOUR-HMAC-MD5 decrypt 1739 * 1740 * format of ciphertext when using ARCFOUR-HMAC-MD5 1741 * +-----------+------------+------------+ 1742 * | hmac | confounder | msg-data | 1743 * +-----------+------------+------------+ 1744 * 1745 */ 1746 static mblk_t * 1747 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1748 hash_info_t *hash) 1749 { 1750 int result; 1751 size_t cipherlen; 1752 size_t inlen; 1753 size_t saltlen; 1754 crypto_key_t k1, k2; 1755 crypto_data_t indata; 1756 iovec_t v1; 1757 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1758 0xab, 0xab, 0xab, 0xab }; 1759 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1760 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1761 uchar_t cksum[MD5_HASHSIZE]; 1762 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1763 crypto_mechanism_t mech; 1764 int usage; 1765 1766 /* The usage constant is 1026 for all "old" rcmd mode operations */ 1767 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 1768 usage = RCMDV1_USAGE; 1769 else 1770 usage = ARCFOUR_DECRYPT_USAGE; 1771 1772 /* 1773 * The size at this point should be the size of 1774 * all the plaintext plus the optional plaintext length 1775 * needed for RCMD V2 mode. There should also be room 1776 * at the head of the mblk for the confounder and hash info. 1777 */ 1778 inlen = (size_t)MBLKL(mp); 1779 1780 /* 1781 * The cipherlen does not include the HMAC at the 1782 * head of the buffer. 1783 */ 1784 cipherlen = inlen - hash->hash_len; 1785 1786 ASSERT(MBLKSIZE(mp) >= cipherlen); 1787 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1788 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 1789 saltdata[9] = 0; 1790 saltdata[10] = usage & 0xff; 1791 saltdata[11] = (usage >> 8) & 0xff; 1792 saltdata[12] = (usage >> 16) & 0xff; 1793 saltdata[13] = (usage >> 24) & 0xff; 1794 saltlen = 14; 1795 } else { 1796 saltdata[0] = usage & 0xff; 1797 saltdata[1] = (usage >> 8) & 0xff; 1798 saltdata[2] = (usage >> 16) & 0xff; 1799 saltdata[3] = (usage >> 24) & 0xff; 1800 saltlen = 4; 1801 } 1802 /* 1803 * Use the salt value to create a key to be used 1804 * for subsequent HMAC operations. 1805 */ 1806 result = do_hmac(md5_hmac_mech, 1807 tmi->dec_data.ckey, 1808 (char *)saltdata, saltlen, 1809 (char *)k1data, sizeof (k1data)); 1810 if (result != CRYPTO_SUCCESS) { 1811 cmn_err(CE_WARN, 1812 "arcfour_hmac_md5_decrypt: do_hmac(k1)" 1813 "failed - error %0x", result); 1814 goto cleanup; 1815 } 1816 bcopy(k1data, k2data, sizeof (k1data)); 1817 1818 /* 1819 * For the neutered MS RC4 encryption type, 1820 * set the trailing 9 bytes to 0xab per the 1821 * RC4-HMAC spec. 1822 */ 1823 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1824 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 1825 } 1826 1827 mech.cm_type = tmi->dec_data.mech_type; 1828 mech.cm_param = NULL; 1829 mech.cm_param_len = 0; 1830 1831 /* 1832 * If we have not yet initialized the decryption key, 1833 * context, and template, do it now. 1834 */ 1835 if (tmi->dec_data.ctx == NULL || 1836 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 1837 k1.ck_format = CRYPTO_KEY_RAW; 1838 k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8; 1839 k1.ck_data = k1data; 1840 1841 tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW; 1842 tmi->dec_data.d_encr_key.ck_length = k1.ck_length; 1843 if (tmi->dec_data.d_encr_key.ck_data == NULL) 1844 tmi->dec_data.d_encr_key.ck_data = kmem_zalloc( 1845 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 1846 1847 /* 1848 * HMAC operation creates the encryption 1849 * key to be used for the decrypt operations. 1850 */ 1851 result = do_hmac(md5_hmac_mech, &k1, 1852 (char *)mp->b_rptr, hash->hash_len, 1853 (char *)tmi->dec_data.d_encr_key.ck_data, 1854 CRYPT_ARCFOUR_KEYBYTES); 1855 1856 1857 if (result != CRYPTO_SUCCESS) { 1858 cmn_err(CE_WARN, 1859 "arcfour_hmac_md5_decrypt: do_hmac(k3)" 1860 "failed - error %0x", result); 1861 goto cleanup; 1862 } 1863 } 1864 1865 tmi->dec_data.enc_tmpl = NULL; 1866 1867 if (tmi->dec_data.ctx == NULL && 1868 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 1869 /* 1870 * Only create a template if we are doing 1871 * chaining from block to block. 1872 */ 1873 result = crypto_create_ctx_template(&mech, 1874 &tmi->dec_data.d_encr_key, 1875 &tmi->dec_data.enc_tmpl, 1876 KM_SLEEP); 1877 if (result == CRYPTO_NOT_SUPPORTED) { 1878 tmi->dec_data.enc_tmpl = NULL; 1879 } else if (result != CRYPTO_SUCCESS) { 1880 cmn_err(CE_WARN, 1881 "arcfour_hmac_md5_decrypt: " 1882 "failed to create dec template " 1883 "for RC4 encrypt: %0x", result); 1884 goto cleanup; 1885 } 1886 1887 result = crypto_decrypt_init(&mech, 1888 &tmi->dec_data.d_encr_key, 1889 tmi->dec_data.enc_tmpl, 1890 &tmi->dec_data.ctx, NULL); 1891 1892 if (result != CRYPTO_SUCCESS) { 1893 cmn_err(CE_WARN, "crypto_decrypt_init failed:" 1894 " %0x", result); 1895 goto cleanup; 1896 } 1897 } 1898 1899 /* adjust the rptr so we don't decrypt the original hmac field */ 1900 1901 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 1902 v1.iov_len = cipherlen; 1903 1904 indata.cd_format = CRYPTO_DATA_RAW; 1905 indata.cd_offset = 0; 1906 indata.cd_length = cipherlen; 1907 indata.cd_raw = v1; 1908 1909 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 1910 result = crypto_decrypt_update(tmi->dec_data.ctx, 1911 &indata, NULL, NULL); 1912 else 1913 result = crypto_decrypt(&mech, &indata, 1914 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1915 1916 if (result != CRYPTO_SUCCESS) { 1917 cmn_err(CE_WARN, "crypto_decrypt_update failed:" 1918 " %0x", result); 1919 goto cleanup; 1920 } 1921 1922 k2.ck_format = CRYPTO_KEY_RAW; 1923 k2.ck_length = sizeof (k2data) * 8; 1924 k2.ck_data = k2data; 1925 1926 result = do_hmac(md5_hmac_mech, 1927 &k2, 1928 (char *)mp->b_rptr + hash->hash_len, cipherlen, 1929 (char *)cksum, hash->hash_len); 1930 1931 if (result != CRYPTO_SUCCESS) { 1932 cmn_err(CE_WARN, 1933 "arcfour_hmac_md5_decrypt: do_hmac(k2)" 1934 "failed - error %0x", result); 1935 goto cleanup; 1936 } 1937 1938 if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) { 1939 cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed"); 1940 result = -1; 1941 goto cleanup; 1942 } 1943 1944 /* 1945 * adjust the start of the mblk to skip over the 1946 * hash and confounder. 1947 */ 1948 mp->b_rptr += hash->hash_len + hash->confound_len; 1949 1950 cleanup: 1951 bzero(k1data, sizeof (k1data)); 1952 bzero(k2data, sizeof (k2data)); 1953 bzero(cksum, sizeof (cksum)); 1954 bzero(saltdata, sizeof (saltdata)); 1955 if (result != CRYPTO_SUCCESS) { 1956 mp->b_datap->db_type = M_ERROR; 1957 mp->b_rptr = mp->b_datap->db_base; 1958 *mp->b_rptr = EIO; 1959 mp->b_wptr = mp->b_rptr + sizeof (char); 1960 freemsg(mp->b_cont); 1961 mp->b_cont = NULL; 1962 qreply(WR(q), mp); 1963 return (NULL); 1964 } 1965 return (mp); 1966 } 1967 1968 /* 1969 * ARCFOUR-HMAC-MD5 encrypt 1970 * 1971 * format of ciphertext when using ARCFOUR-HMAC-MD5 1972 * +-----------+------------+------------+ 1973 * | hmac | confounder | msg-data | 1974 * +-----------+------------+------------+ 1975 * 1976 */ 1977 static mblk_t * 1978 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1979 hash_info_t *hash) 1980 { 1981 int result; 1982 size_t cipherlen; 1983 size_t inlen; 1984 size_t saltlen; 1985 crypto_key_t k1, k2; 1986 crypto_data_t indata; 1987 iovec_t v1; 1988 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1989 0xab, 0xab, 0xab, 0xab }; 1990 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1991 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1992 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1993 crypto_mechanism_t mech; 1994 int usage; 1995 1996 /* The usage constant is 1026 for all "old" rcmd mode operations */ 1997 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 1998 usage = RCMDV1_USAGE; 1999 else 2000 usage = ARCFOUR_ENCRYPT_USAGE; 2001 2002 mech.cm_type = tmi->enc_data.mech_type; 2003 mech.cm_param = NULL; 2004 mech.cm_param_len = 0; 2005 2006 /* 2007 * The size at this point should be the size of 2008 * all the plaintext plus the optional plaintext length 2009 * needed for RCMD V2 mode. There should also be room 2010 * at the head of the mblk for the confounder and hash info. 2011 */ 2012 inlen = (size_t)MBLKL(mp); 2013 2014 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2015 2016 ASSERT(MBLKSIZE(mp) >= cipherlen); 2017 2018 /* 2019 * Shift the rptr back enough to insert 2020 * the confounder and hash. 2021 */ 2022 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2023 2024 /* zero out the hash area */ 2025 bzero(mp->b_rptr, (size_t)hash->hash_len); 2026 2027 if (cipherlen > inlen) { 2028 bzero(mp->b_wptr, MBLKTAIL(mp)); 2029 } 2030 2031 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2032 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 2033 saltdata[9] = 0; 2034 saltdata[10] = usage & 0xff; 2035 saltdata[11] = (usage >> 8) & 0xff; 2036 saltdata[12] = (usage >> 16) & 0xff; 2037 saltdata[13] = (usage >> 24) & 0xff; 2038 saltlen = 14; 2039 } else { 2040 saltdata[0] = usage & 0xff; 2041 saltdata[1] = (usage >> 8) & 0xff; 2042 saltdata[2] = (usage >> 16) & 0xff; 2043 saltdata[3] = (usage >> 24) & 0xff; 2044 saltlen = 4; 2045 } 2046 /* 2047 * Use the salt value to create a key to be used 2048 * for subsequent HMAC operations. 2049 */ 2050 result = do_hmac(md5_hmac_mech, 2051 tmi->enc_data.ckey, 2052 (char *)saltdata, saltlen, 2053 (char *)k1data, sizeof (k1data)); 2054 if (result != CRYPTO_SUCCESS) { 2055 cmn_err(CE_WARN, 2056 "arcfour_hmac_md5_encrypt: do_hmac(k1)" 2057 "failed - error %0x", result); 2058 goto cleanup; 2059 } 2060 2061 bcopy(k1data, k2data, sizeof (k2data)); 2062 2063 /* 2064 * For the neutered MS RC4 encryption type, 2065 * set the trailing 9 bytes to 0xab per the 2066 * RC4-HMAC spec. 2067 */ 2068 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2069 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 2070 } 2071 2072 /* 2073 * Get the confounder bytes. 2074 */ 2075 (void) random_get_pseudo_bytes( 2076 (uint8_t *)(mp->b_rptr + hash->hash_len), 2077 (size_t)hash->confound_len); 2078 2079 k2.ck_data = k2data; 2080 k2.ck_format = CRYPTO_KEY_RAW; 2081 k2.ck_length = sizeof (k2data) * 8; 2082 2083 /* 2084 * This writes the HMAC to the hash area in the 2085 * mblk. The key used is the one just created by 2086 * the previous HMAC operation. 2087 * The data being processed is the confounder bytes 2088 * PLUS the input plaintext. 2089 */ 2090 result = do_hmac(md5_hmac_mech, &k2, 2091 (char *)mp->b_rptr + hash->hash_len, 2092 hash->confound_len + inlen, 2093 (char *)mp->b_rptr, hash->hash_len); 2094 if (result != CRYPTO_SUCCESS) { 2095 cmn_err(CE_WARN, 2096 "arcfour_hmac_md5_encrypt: do_hmac(k2)" 2097 "failed - error %0x", result); 2098 goto cleanup; 2099 } 2100 /* 2101 * Because of the odd way that MIT uses RC4 keys 2102 * on the rlogin stream, we only need to create 2103 * this key once. 2104 * However, if using "old" rcmd mode, we need to do 2105 * it every time. 2106 */ 2107 if (tmi->enc_data.ctx == NULL || 2108 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 2109 crypto_key_t *key = &tmi->enc_data.d_encr_key; 2110 2111 k1.ck_data = k1data; 2112 k1.ck_format = CRYPTO_KEY_RAW; 2113 k1.ck_length = sizeof (k1data) * 8; 2114 2115 key->ck_format = CRYPTO_KEY_RAW; 2116 key->ck_length = k1.ck_length; 2117 if (key->ck_data == NULL) 2118 key->ck_data = kmem_zalloc( 2119 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 2120 2121 /* 2122 * The final HMAC operation creates the encryption 2123 * key to be used for the encrypt operation. 2124 */ 2125 result = do_hmac(md5_hmac_mech, &k1, 2126 (char *)mp->b_rptr, hash->hash_len, 2127 (char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES); 2128 2129 if (result != CRYPTO_SUCCESS) { 2130 cmn_err(CE_WARN, 2131 "arcfour_hmac_md5_encrypt: do_hmac(k3)" 2132 "failed - error %0x", result); 2133 goto cleanup; 2134 } 2135 } 2136 2137 /* 2138 * If the context has not been initialized, do it now. 2139 */ 2140 if (tmi->enc_data.ctx == NULL && 2141 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 2142 /* 2143 * Only create a template if we are doing 2144 * chaining from block to block. 2145 */ 2146 result = crypto_create_ctx_template(&mech, 2147 &tmi->enc_data.d_encr_key, 2148 &tmi->enc_data.enc_tmpl, 2149 KM_SLEEP); 2150 if (result == CRYPTO_NOT_SUPPORTED) { 2151 tmi->enc_data.enc_tmpl = NULL; 2152 } else if (result != CRYPTO_SUCCESS) { 2153 cmn_err(CE_WARN, "failed to create enc template " 2154 "for RC4 encrypt: %0x", result); 2155 goto cleanup; 2156 } 2157 2158 result = crypto_encrypt_init(&mech, 2159 &tmi->enc_data.d_encr_key, 2160 tmi->enc_data.enc_tmpl, 2161 &tmi->enc_data.ctx, NULL); 2162 if (result != CRYPTO_SUCCESS) { 2163 cmn_err(CE_WARN, "crypto_encrypt_init failed:" 2164 " %0x", result); 2165 goto cleanup; 2166 } 2167 } 2168 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 2169 v1.iov_len = hash->confound_len + inlen; 2170 2171 indata.cd_format = CRYPTO_DATA_RAW; 2172 indata.cd_offset = 0; 2173 indata.cd_length = hash->confound_len + inlen; 2174 indata.cd_raw = v1; 2175 2176 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2177 result = crypto_encrypt_update(tmi->enc_data.ctx, 2178 &indata, NULL, NULL); 2179 else 2180 result = crypto_encrypt(&mech, &indata, 2181 &tmi->enc_data.d_encr_key, NULL, 2182 NULL, NULL); 2183 2184 if (result != CRYPTO_SUCCESS) { 2185 cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x", 2186 result); 2187 } 2188 2189 cleanup: 2190 bzero(k1data, sizeof (k1data)); 2191 bzero(k2data, sizeof (k2data)); 2192 bzero(saltdata, sizeof (saltdata)); 2193 if (result != CRYPTO_SUCCESS) { 2194 mp->b_datap->db_type = M_ERROR; 2195 mp->b_rptr = mp->b_datap->db_base; 2196 *mp->b_rptr = EIO; 2197 mp->b_wptr = mp->b_rptr + sizeof (char); 2198 freemsg(mp->b_cont); 2199 mp->b_cont = NULL; 2200 qreply(WR(q), mp); 2201 return (NULL); 2202 } 2203 return (mp); 2204 } 2205 2206 /* 2207 * DES-CBC-[HASH] encrypt 2208 * 2209 * Needed to support userland apps that must support Kerberos V5 2210 * encryption DES-CBC encryption modes. 2211 * 2212 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2213 * 2214 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2215 * +-----------+----------+-------------+-----+ 2216 * |confounder | cksum | msg-data | pad | 2217 * +-----------+----------+-------------+-----+ 2218 * 2219 * format of ciphertext when using DES3-SHA1-HMAC 2220 * +-----------+----------+-------------+-----+ 2221 * |confounder | msg-data | hmac | pad | 2222 * +-----------+----------+-------------+-----+ 2223 * 2224 * The confounder is 8 bytes of random data. 2225 * The cksum depends on the hash being used. 2226 * 4 bytes for CRC32 2227 * 16 bytes for MD5 2228 * 20 bytes for SHA1 2229 * 0 bytes for RAW 2230 * 2231 */ 2232 static mblk_t * 2233 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2234 { 2235 int result; 2236 size_t cipherlen; 2237 size_t inlen; 2238 size_t plainlen; 2239 2240 /* 2241 * The size at this point should be the size of 2242 * all the plaintext plus the optional plaintext length 2243 * needed for RCMD V2 mode. There should also be room 2244 * at the head of the mblk for the confounder and hash info. 2245 */ 2246 inlen = (size_t)MBLKL(mp); 2247 2248 /* 2249 * The output size will be a multiple of 8 because this algorithm 2250 * only works on 8 byte chunks. 2251 */ 2252 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2253 2254 ASSERT(MBLKSIZE(mp) >= cipherlen); 2255 2256 if (cipherlen > inlen) { 2257 bzero(mp->b_wptr, MBLKTAIL(mp)); 2258 } 2259 2260 /* 2261 * Shift the rptr back enough to insert 2262 * the confounder and hash. 2263 */ 2264 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2265 mp->b_rptr -= hash->confound_len; 2266 } else { 2267 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2268 2269 /* zero out the hash area */ 2270 bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len); 2271 } 2272 2273 /* get random confounder from our friend, the 'random' module */ 2274 if (hash->confound_len > 0) { 2275 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 2276 (size_t)hash->confound_len); 2277 } 2278 2279 /* 2280 * For 3DES we calculate an HMAC later. 2281 */ 2282 if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) { 2283 /* calculate chksum of confounder + input */ 2284 if (hash->hash_len > 0 && hash->hashfunc != NULL) { 2285 uchar_t cksum[MAX_CKSUM_LEN]; 2286 2287 result = hash->hashfunc(cksum, mp->b_rptr, 2288 cipherlen); 2289 if (result != CRYPTO_SUCCESS) { 2290 goto failure; 2291 } 2292 2293 /* put hash in place right after the confounder */ 2294 bcopy(cksum, (mp->b_rptr + hash->confound_len), 2295 (size_t)hash->hash_len); 2296 } 2297 } 2298 /* 2299 * In order to support the "old" Kerberos RCMD protocol, 2300 * we must use the IVEC 3 different ways: 2301 * IVEC_REUSE = keep using the same IV each time, this is 2302 * ugly and insecure, but necessary for 2303 * backwards compatibility with existing MIT code. 2304 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2305 * was setup (see setup_crypto routine). 2306 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2307 */ 2308 if (tmi->enc_data.ivec_usage == IVEC_NEVER) { 2309 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 2310 } else if (tmi->enc_data.ivec_usage == IVEC_REUSE) { 2311 bcopy(tmi->enc_data.ivec, tmi->enc_data.block, 2312 tmi->enc_data.blocklen); 2313 } 2314 2315 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2316 /* 2317 * The input length already included the hash size, 2318 * don't include this in the plaintext length 2319 * calculations. 2320 */ 2321 plainlen = cipherlen - hash->hash_len; 2322 2323 mp->b_wptr = mp->b_rptr + plainlen; 2324 2325 result = kef_encr_hmac(&tmi->enc_data, 2326 (void *)mp, (size_t)plainlen, 2327 (char *)(mp->b_rptr + plainlen), 2328 hash->hash_len); 2329 } else { 2330 ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp)); 2331 mp->b_wptr = mp->b_rptr + cipherlen; 2332 result = kef_crypt(&tmi->enc_data, (void *)mp, 2333 CRYPTO_DATA_MBLK, (size_t)cipherlen, 2334 CRYPT_ENCRYPT); 2335 } 2336 failure: 2337 if (result != CRYPTO_SUCCESS) { 2338 #ifdef DEBUG 2339 cmn_err(CE_WARN, 2340 "des_cbc_encrypt: kef_crypt encrypt " 2341 "failed (len: %ld) - error %0x", 2342 cipherlen, result); 2343 #endif 2344 mp->b_datap->db_type = M_ERROR; 2345 mp->b_rptr = mp->b_datap->db_base; 2346 *mp->b_rptr = EIO; 2347 mp->b_wptr = mp->b_rptr + sizeof (char); 2348 freemsg(mp->b_cont); 2349 mp->b_cont = NULL; 2350 qreply(WR(q), mp); 2351 return (NULL); 2352 } else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) { 2353 /* 2354 * Because we are using KEF, we must manually 2355 * update our IV. 2356 */ 2357 bcopy(mp->b_wptr - tmi->enc_data.ivlen, 2358 tmi->enc_data.block, tmi->enc_data.ivlen); 2359 } 2360 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2361 mp->b_wptr = mp->b_rptr + cipherlen; 2362 } 2363 2364 return (mp); 2365 } 2366 2367 /* 2368 * des_cbc_decrypt 2369 * 2370 * 2371 * Needed to support userland apps that must support Kerberos V5 2372 * encryption DES-CBC decryption modes. 2373 * 2374 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2375 * 2376 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2377 * +-----------+----------+-------------+-----+ 2378 * |confounder | cksum | msg-data | pad | 2379 * +-----------+----------+-------------+-----+ 2380 * 2381 * format of ciphertext when using DES3-SHA1-HMAC 2382 * +-----------+----------+-------------+-----+ 2383 * |confounder | msg-data | hmac | pad | 2384 * +-----------+----------+-------------+-----+ 2385 * 2386 * The confounder is 8 bytes of random data. 2387 * The cksum depends on the hash being used. 2388 * 4 bytes for CRC32 2389 * 16 bytes for MD5 2390 * 20 bytes for SHA1 2391 * 0 bytes for RAW 2392 * 2393 */ 2394 static mblk_t * 2395 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2396 { 2397 uint_t inlen, datalen; 2398 int result = 0; 2399 uchar_t *optr = NULL; 2400 uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN]; 2401 uchar_t nextiv[DEFAULT_DES_BLOCKLEN]; 2402 2403 /* Compute adjusted size */ 2404 inlen = MBLKL(mp); 2405 2406 optr = mp->b_rptr; 2407 2408 /* 2409 * In order to support the "old" Kerberos RCMD protocol, 2410 * we must use the IVEC 3 different ways: 2411 * IVEC_REUSE = keep using the same IV each time, this is 2412 * ugly and insecure, but necessary for 2413 * backwards compatibility with existing MIT code. 2414 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2415 * was setup (see setup_crypto routine). 2416 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2417 */ 2418 if (tmi->dec_data.ivec_usage == IVEC_NEVER) 2419 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 2420 else if (tmi->dec_data.ivec_usage == IVEC_REUSE) 2421 bcopy(tmi->dec_data.ivec, tmi->dec_data.block, 2422 tmi->dec_data.blocklen); 2423 2424 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2425 /* 2426 * Do not decrypt the HMAC at the end 2427 */ 2428 int decrypt_len = inlen - hash->hash_len; 2429 2430 /* 2431 * Move the wptr so the mblk appears to end 2432 * BEFORE the HMAC section. 2433 */ 2434 mp->b_wptr = mp->b_rptr + decrypt_len; 2435 2436 /* 2437 * Because we are using KEF, we must manually update our 2438 * IV. 2439 */ 2440 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2441 bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen, 2442 nextiv, tmi->dec_data.ivlen); 2443 } 2444 2445 result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len, 2446 (char *)newcksum, hash->hash_len); 2447 } else { 2448 /* 2449 * Because we are using KEF, we must manually update our 2450 * IV. 2451 */ 2452 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2453 bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv, 2454 tmi->dec_data.ivlen); 2455 } 2456 result = kef_crypt(&tmi->dec_data, (void *)mp, 2457 CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT); 2458 } 2459 if (result != CRYPTO_SUCCESS) { 2460 #ifdef DEBUG 2461 cmn_err(CE_WARN, 2462 "des_cbc_decrypt: kef_crypt decrypt " 2463 "failed - error %0x", result); 2464 #endif 2465 mp->b_datap->db_type = M_ERROR; 2466 mp->b_rptr = mp->b_datap->db_base; 2467 *mp->b_rptr = EIO; 2468 mp->b_wptr = mp->b_rptr + sizeof (char); 2469 freemsg(mp->b_cont); 2470 mp->b_cont = NULL; 2471 qreply(WR(q), mp); 2472 return (NULL); 2473 } 2474 2475 /* 2476 * Manually update the IV, KEF does not track this for us. 2477 */ 2478 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2479 bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen); 2480 } 2481 2482 /* Verify the checksum(if necessary) */ 2483 if (hash->hash_len > 0) { 2484 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2485 bcopy(mp->b_rptr + inlen - hash->hash_len, cksum, 2486 hash->hash_len); 2487 } else { 2488 bcopy(optr + hash->confound_len, cksum, hash->hash_len); 2489 2490 /* zero the cksum in the buffer */ 2491 ASSERT(optr + hash->confound_len + hash->hash_len <= 2492 DB_LIM(mp)); 2493 bzero(optr + hash->confound_len, hash->hash_len); 2494 2495 /* calculate MD5 chksum of confounder + input */ 2496 if (hash->hashfunc) { 2497 (void) hash->hashfunc(newcksum, optr, inlen); 2498 } 2499 } 2500 2501 if (bcmp(cksum, newcksum, hash->hash_len)) { 2502 #ifdef DEBUG 2503 cmn_err(CE_WARN, "des_cbc_decrypt: checksum " 2504 "verification failed"); 2505 #endif 2506 mp->b_datap->db_type = M_ERROR; 2507 mp->b_rptr = mp->b_datap->db_base; 2508 *mp->b_rptr = EIO; 2509 mp->b_wptr = mp->b_rptr + sizeof (char); 2510 freemsg(mp->b_cont); 2511 mp->b_cont = NULL; 2512 qreply(WR(q), mp); 2513 return (NULL); 2514 } 2515 } 2516 2517 datalen = inlen - hash->confound_len - hash->hash_len; 2518 2519 /* Move just the decrypted input into place if necessary */ 2520 if (hash->confound_len > 0 || hash->hash_len > 0) { 2521 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) 2522 mp->b_rptr += hash->confound_len; 2523 else 2524 mp->b_rptr += hash->confound_len + hash->hash_len; 2525 } 2526 2527 ASSERT(mp->b_rptr + datalen <= DB_LIM(mp)); 2528 mp->b_wptr = mp->b_rptr + datalen; 2529 2530 return (mp); 2531 } 2532 2533 static mblk_t * 2534 do_decrypt(queue_t *q, mblk_t *mp) 2535 { 2536 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2537 mblk_t *outmp; 2538 2539 switch (tmi->dec_data.method) { 2540 case CRYPT_METHOD_DES_CFB: 2541 outmp = des_cfb_decrypt(q, tmi, mp); 2542 break; 2543 case CRYPT_METHOD_NONE: 2544 outmp = mp; 2545 break; 2546 case CRYPT_METHOD_DES_CBC_NULL: 2547 outmp = des_cbc_decrypt(q, tmi, mp, &null_hash); 2548 break; 2549 case CRYPT_METHOD_DES_CBC_MD5: 2550 outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash); 2551 break; 2552 case CRYPT_METHOD_DES_CBC_CRC: 2553 outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash); 2554 break; 2555 case CRYPT_METHOD_DES3_CBC_SHA1: 2556 outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash); 2557 break; 2558 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2559 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2560 outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash); 2561 break; 2562 case CRYPT_METHOD_AES128: 2563 case CRYPT_METHOD_AES256: 2564 outmp = aes_decrypt(q, tmi, mp, &sha1_hash); 2565 break; 2566 } 2567 return (outmp); 2568 } 2569 2570 /* 2571 * do_encrypt 2572 * 2573 * Generic encryption routine for a single message block. 2574 * The input mblk may be replaced by some encrypt routines 2575 * because they add extra data in some cases that may exceed 2576 * the input mblk_t size limit. 2577 */ 2578 static mblk_t * 2579 do_encrypt(queue_t *q, mblk_t *mp) 2580 { 2581 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2582 mblk_t *outmp; 2583 2584 switch (tmi->enc_data.method) { 2585 case CRYPT_METHOD_DES_CFB: 2586 outmp = des_cfb_encrypt(q, tmi, mp); 2587 break; 2588 case CRYPT_METHOD_DES_CBC_NULL: 2589 outmp = des_cbc_encrypt(q, tmi, mp, &null_hash); 2590 break; 2591 case CRYPT_METHOD_DES_CBC_MD5: 2592 outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash); 2593 break; 2594 case CRYPT_METHOD_DES_CBC_CRC: 2595 outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash); 2596 break; 2597 case CRYPT_METHOD_DES3_CBC_SHA1: 2598 outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash); 2599 break; 2600 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2601 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2602 outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash); 2603 break; 2604 case CRYPT_METHOD_AES128: 2605 case CRYPT_METHOD_AES256: 2606 outmp = aes_encrypt(q, tmi, mp, &sha1_hash); 2607 break; 2608 case CRYPT_METHOD_NONE: 2609 outmp = mp; 2610 break; 2611 } 2612 return (outmp); 2613 } 2614 2615 /* 2616 * setup_crypto 2617 * 2618 * This takes the data from the CRYPTIOCSETUP ioctl 2619 * and sets up a cipher_data_t structure for either 2620 * encryption or decryption. This is where the 2621 * key and initialization vector data get stored 2622 * prior to beginning any crypto functions. 2623 * 2624 * Special note: 2625 * Some applications(e.g. telnetd) have ability to switch 2626 * crypto on/off periodically. Thus, the application may call 2627 * the CRYPTIOCSETUP ioctl many times for the same stream. 2628 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields 2629 * assume that the key, block, and saveblock fields that are already 2630 * set from a previous CRIOCSETUP call are still valid. This helps avoid 2631 * a rekeying error that could occur if we overwrite these fields 2632 * with each CRYPTIOCSETUP call. 2633 * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off 2634 * without resetting the original crypto parameters. 2635 * 2636 */ 2637 static int 2638 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt) 2639 { 2640 uint_t newblocklen; 2641 uint32_t enc_usage = 0, dec_usage = 0; 2642 int rv; 2643 2644 /* 2645 * Initial sanity checks 2646 */ 2647 if (!CR_METHOD_OK(ci->crypto_method)) { 2648 cmn_err(CE_WARN, "Illegal crypto method (%d)", 2649 ci->crypto_method); 2650 return (EINVAL); 2651 } 2652 if (!CR_OPTIONS_OK(ci->option_mask)) { 2653 cmn_err(CE_WARN, "Illegal crypto options (%d)", 2654 ci->option_mask); 2655 return (EINVAL); 2656 } 2657 if (!CR_IVUSAGE_OK(ci->ivec_usage)) { 2658 cmn_err(CE_WARN, "Illegal ivec usage value (%d)", 2659 ci->ivec_usage); 2660 return (EINVAL); 2661 } 2662 2663 cd->method = ci->crypto_method; 2664 cd->bytes = 0; 2665 2666 if (ci->keylen > 0) { 2667 if (cd->key != NULL) { 2668 kmem_free(cd->key, cd->keylen); 2669 cd->key = NULL; 2670 cd->keylen = 0; 2671 } 2672 /* 2673 * cd->key holds the copy of the raw key bytes passed in 2674 * from the userland app. 2675 */ 2676 cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP); 2677 2678 cd->keylen = ci->keylen; 2679 bcopy(ci->key, cd->key, (size_t)ci->keylen); 2680 } 2681 2682 /* 2683 * Configure the block size based on the type of cipher. 2684 */ 2685 switch (cd->method) { 2686 case CRYPT_METHOD_NONE: 2687 newblocklen = 0; 2688 break; 2689 case CRYPT_METHOD_DES_CFB: 2690 newblocklen = DEFAULT_DES_BLOCKLEN; 2691 cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB); 2692 break; 2693 case CRYPT_METHOD_DES_CBC_NULL: 2694 case CRYPT_METHOD_DES_CBC_MD5: 2695 case CRYPT_METHOD_DES_CBC_CRC: 2696 newblocklen = DEFAULT_DES_BLOCKLEN; 2697 cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC); 2698 break; 2699 case CRYPT_METHOD_DES3_CBC_SHA1: 2700 newblocklen = DEFAULT_DES_BLOCKLEN; 2701 cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC); 2702 /* 3DES always uses the old usage constant */ 2703 enc_usage = RCMDV1_USAGE; 2704 dec_usage = RCMDV1_USAGE; 2705 break; 2706 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2707 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2708 newblocklen = 0; 2709 cd->mech_type = crypto_mech2id(SUN_CKM_RC4); 2710 break; 2711 case CRYPT_METHOD_AES128: 2712 case CRYPT_METHOD_AES256: 2713 newblocklen = DEFAULT_AES_BLOCKLEN; 2714 cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB); 2715 enc_usage = AES_ENCRYPT_USAGE; 2716 dec_usage = AES_DECRYPT_USAGE; 2717 break; 2718 } 2719 if (cd->mech_type == CRYPTO_MECH_INVALID) { 2720 return (CRYPTO_FAILED); 2721 } 2722 2723 /* 2724 * If RC4, initialize the master crypto key used by 2725 * the RC4 algorithm to derive the final encrypt and decrypt keys. 2726 */ 2727 if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) { 2728 /* 2729 * cd->ckey is a kernel crypto key structure used as the 2730 * master key in the RC4-HMAC crypto operations. 2731 */ 2732 if (cd->ckey == NULL) { 2733 cd->ckey = (crypto_key_t *)kmem_zalloc( 2734 sizeof (crypto_key_t), KM_SLEEP); 2735 } 2736 2737 cd->ckey->ck_format = CRYPTO_KEY_RAW; 2738 cd->ckey->ck_data = cd->key; 2739 2740 /* key length for EF is measured in bits */ 2741 cd->ckey->ck_length = cd->keylen * 8; 2742 } 2743 2744 /* 2745 * cd->block and cd->saveblock are used as temporary storage for 2746 * data that must be carried over between encrypt/decrypt operations 2747 * in some of the "feedback" modes. 2748 */ 2749 if (newblocklen != cd->blocklen) { 2750 if (cd->block != NULL) { 2751 kmem_free(cd->block, cd->blocklen); 2752 cd->block = NULL; 2753 } 2754 2755 if (cd->saveblock != NULL) { 2756 kmem_free(cd->saveblock, cd->blocklen); 2757 cd->saveblock = NULL; 2758 } 2759 2760 cd->blocklen = newblocklen; 2761 if (cd->blocklen) { 2762 cd->block = (char *)kmem_zalloc((size_t)cd->blocklen, 2763 KM_SLEEP); 2764 } 2765 2766 if (cd->method == CRYPT_METHOD_DES_CFB) 2767 cd->saveblock = (char *)kmem_zalloc(cd->blocklen, 2768 KM_SLEEP); 2769 else 2770 cd->saveblock = NULL; 2771 } 2772 2773 if (ci->iveclen != cd->ivlen) { 2774 if (cd->ivec != NULL) { 2775 kmem_free(cd->ivec, cd->ivlen); 2776 cd->ivec = NULL; 2777 } 2778 if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) { 2779 cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen, 2780 KM_SLEEP); 2781 cd->ivlen = ci->iveclen; 2782 } else { 2783 cd->ivlen = 0; 2784 cd->ivec = NULL; 2785 } 2786 } 2787 cd->option_mask = ci->option_mask; 2788 2789 /* 2790 * Old protocol requires a static 'usage' value for 2791 * deriving keys. Yuk. 2792 */ 2793 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) { 2794 enc_usage = dec_usage = RCMDV1_USAGE; 2795 } 2796 2797 if (cd->ivlen > cd->blocklen) { 2798 cmn_err(CE_WARN, "setup_crypto: IV longer than block size"); 2799 return (EINVAL); 2800 } 2801 2802 /* 2803 * If we are using an IVEC "correctly" (i.e. set it once) 2804 * copy it here. 2805 */ 2806 if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL) 2807 bcopy(ci->ivec, cd->block, (size_t)cd->ivlen); 2808 2809 cd->ivec_usage = ci->ivec_usage; 2810 if (cd->ivec != NULL) { 2811 /* Save the original IVEC in case we need it later */ 2812 bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen); 2813 } 2814 /* 2815 * Special handling for 3DES-SHA1-HMAC and AES crypto: 2816 * generate derived keys and context templates 2817 * for better performance. 2818 */ 2819 if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 || 2820 IS_AES_METHOD(cd->method)) { 2821 crypto_mechanism_t enc_mech; 2822 crypto_mechanism_t hmac_mech; 2823 2824 if (cd->d_encr_key.ck_data != NULL) { 2825 bzero(cd->d_encr_key.ck_data, cd->keylen); 2826 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 2827 } 2828 2829 if (cd->d_hmac_key.ck_data != NULL) { 2830 bzero(cd->d_hmac_key.ck_data, cd->keylen); 2831 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 2832 } 2833 2834 if (cd->enc_tmpl != NULL) 2835 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 2836 2837 if (cd->hmac_tmpl != NULL) 2838 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 2839 2840 enc_mech.cm_type = cd->mech_type; 2841 enc_mech.cm_param = cd->ivec; 2842 enc_mech.cm_param_len = cd->ivlen; 2843 2844 hmac_mech.cm_type = sha1_hmac_mech; 2845 hmac_mech.cm_param = NULL; 2846 hmac_mech.cm_param_len = 0; 2847 2848 /* 2849 * Create the derived keys. 2850 */ 2851 rv = create_derived_keys(cd, 2852 (encrypt ? enc_usage : dec_usage), 2853 &cd->d_encr_key, &cd->d_hmac_key); 2854 2855 if (rv != CRYPTO_SUCCESS) { 2856 cmn_err(CE_WARN, "failed to create derived " 2857 "keys: %0x", rv); 2858 return (CRYPTO_FAILED); 2859 } 2860 2861 rv = crypto_create_ctx_template(&enc_mech, 2862 &cd->d_encr_key, 2863 &cd->enc_tmpl, KM_SLEEP); 2864 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2865 cd->enc_tmpl = NULL; 2866 } else if (rv != CRYPTO_SUCCESS) { 2867 cmn_err(CE_WARN, "failed to create enc template " 2868 "for d_encr_key: %0x", rv); 2869 return (CRYPTO_FAILED); 2870 } 2871 2872 rv = crypto_create_ctx_template(&hmac_mech, 2873 &cd->d_hmac_key, 2874 &cd->hmac_tmpl, KM_SLEEP); 2875 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2876 cd->hmac_tmpl = NULL; 2877 } else if (rv != CRYPTO_SUCCESS) { 2878 cmn_err(CE_WARN, "failed to create hmac template:" 2879 " %0x", rv); 2880 return (CRYPTO_FAILED); 2881 } 2882 } else if (IS_RC4_METHOD(cd->method)) { 2883 bzero(&cd->d_encr_key, sizeof (crypto_key_t)); 2884 bzero(&cd->d_hmac_key, sizeof (crypto_key_t)); 2885 cd->ctx = NULL; 2886 cd->enc_tmpl = NULL; 2887 cd->hmac_tmpl = NULL; 2888 } 2889 2890 /* Final sanity checks, make sure no fields are NULL */ 2891 if (cd->method != CRYPT_METHOD_NONE) { 2892 if (cd->block == NULL && cd->blocklen > 0) { 2893 #ifdef DEBUG 2894 cmn_err(CE_WARN, 2895 "setup_crypto: IV block not allocated"); 2896 #endif 2897 return (ENOMEM); 2898 } 2899 if (cd->key == NULL && cd->keylen > 0) { 2900 #ifdef DEBUG 2901 cmn_err(CE_WARN, 2902 "setup_crypto: key block not allocated"); 2903 #endif 2904 return (ENOMEM); 2905 } 2906 if (cd->method == CRYPT_METHOD_DES_CFB && 2907 cd->saveblock == NULL && cd->blocklen > 0) { 2908 #ifdef DEBUG 2909 cmn_err(CE_WARN, 2910 "setup_crypto: save block not allocated"); 2911 #endif 2912 return (ENOMEM); 2913 } 2914 if (cd->ivec == NULL && cd->ivlen > 0) { 2915 #ifdef DEBUG 2916 cmn_err(CE_WARN, 2917 "setup_crypto: IV not allocated"); 2918 #endif 2919 return (ENOMEM); 2920 } 2921 } 2922 return (0); 2923 } 2924 2925 /* 2926 * RCMDS require a 4 byte, clear text 2927 * length field before each message. 2928 * Add it now. 2929 */ 2930 static mblk_t * 2931 mklenmp(mblk_t *bp, uint32_t len) 2932 { 2933 mblk_t *lenmp; 2934 uchar_t *ucp; 2935 2936 if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) { 2937 lenmp = allocb(4, BPRI_MED); 2938 if (lenmp != NULL) { 2939 lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp); 2940 linkb(lenmp, bp); 2941 bp = lenmp; 2942 } 2943 } 2944 ucp = bp->b_rptr; 2945 *--ucp = len; 2946 *--ucp = len >> 8; 2947 *--ucp = len >> 16; 2948 *--ucp = len >> 24; 2949 2950 bp->b_rptr = ucp; 2951 2952 return (bp); 2953 } 2954 2955 /* 2956 * encrypt_msgb 2957 * 2958 * encrypt a single message. This routine adds the 2959 * RCMD overhead bytes when necessary. 2960 */ 2961 static mblk_t * 2962 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 2963 { 2964 mblk_t *newmp; 2965 size_t plainlen; 2966 size_t headspace; 2967 2968 if (tmi->enc_data.method == CRYPT_METHOD_NONE) { 2969 return (mp); 2970 } 2971 2972 /* 2973 * process message 2974 */ 2975 newmp = NULL; 2976 if ((plainlen = MBLKL(mp)) > 0) { 2977 mblk_t *cbp; 2978 size_t cipherlen; 2979 size_t extra = 0; 2980 uint32_t ptlen = (uint32_t)plainlen; 2981 2982 /* 2983 * If we are using the "NEW" RCMD mode, 2984 * add 4 bytes to the plaintext for the 2985 * plaintext length that gets prepended 2986 * before encrypting. 2987 */ 2988 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2989 ptlen += 4; 2990 2991 cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen); 2992 2993 /* 2994 * if we must allocb, then make sure its enough 2995 * to hold the length field so we dont have to allocb 2996 * again down below in 'mklenmp' 2997 */ 2998 if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) { 2999 extra = sizeof (uint32_t); 3000 } 3001 3002 /* 3003 * Calculate how much space is needed in front of 3004 * the data. 3005 */ 3006 headspace = plaintext_offset(&tmi->enc_data); 3007 3008 /* 3009 * If the current block is too small, reallocate 3010 * one large enough to hold the hdr, tail, and 3011 * ciphertext. 3012 */ 3013 if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) { 3014 int sz = P2ROUNDUP(cipherlen+extra, 8); 3015 3016 cbp = allocb_tmpl(sz, mp); 3017 if (cbp == NULL) { 3018 cmn_err(CE_WARN, 3019 "allocb (%d bytes) failed", sz); 3020 return (NULL); 3021 } 3022 3023 cbp->b_cont = mp->b_cont; 3024 3025 /* 3026 * headspace includes the length fields needed 3027 * for the RCMD modes (v1 == 4 bytes, V2 = 8) 3028 */ 3029 cbp->b_rptr = DB_BASE(cbp) + headspace; 3030 3031 ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen, 8) 3032 <= DB_LIM(cbp)); 3033 3034 bcopy(mp->b_rptr, cbp->b_rptr, plainlen); 3035 cbp->b_wptr = cbp->b_rptr + plainlen; 3036 3037 freeb(mp); 3038 } else { 3039 size_t extra = 0; 3040 cbp = mp; 3041 3042 /* 3043 * Some ciphers add HMAC after the final block 3044 * of the ciphertext, not at the beginning like the 3045 * 1-DES ciphers. 3046 */ 3047 if (tmi->enc_data.method == 3048 CRYPT_METHOD_DES3_CBC_SHA1 || 3049 IS_AES_METHOD(tmi->enc_data.method)) { 3050 extra = sha1_hash.hash_len; 3051 } 3052 3053 /* 3054 * Make sure the rptr is positioned correctly so that 3055 * routines later do not have to shift this data around 3056 */ 3057 if ((cbp->b_rptr + P2ROUNDUP(plainlen + extra, 8) > 3058 DB_LIM(cbp)) || 3059 (cbp->b_rptr - headspace < DB_BASE(cbp))) { 3060 ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace, 3061 plainlen); 3062 cbp->b_rptr = DB_BASE(cbp) + headspace; 3063 cbp->b_wptr = cbp->b_rptr + plainlen; 3064 } 3065 } 3066 3067 ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp)); 3068 ASSERT(cbp->b_wptr <= DB_LIM(cbp)); 3069 3070 /* 3071 * If using RCMD_MODE_V2 (new rcmd mode), prepend 3072 * the plaintext length before the actual plaintext. 3073 */ 3074 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) { 3075 cbp->b_rptr -= RCMD_LEN_SZ; 3076 3077 /* put plaintext length at head of buffer */ 3078 *(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff); 3079 *(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff); 3080 *(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff); 3081 *(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff); 3082 } 3083 3084 newmp = do_encrypt(q, cbp); 3085 3086 if (newmp != NULL && 3087 (tmi->enc_data.option_mask & 3088 (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) { 3089 mblk_t *lp; 3090 /* 3091 * Add length field, required when this is 3092 * used to encrypt "r*" commands(rlogin, rsh) 3093 * with Kerberos. 3094 */ 3095 lp = mklenmp(newmp, plainlen); 3096 3097 if (lp == NULL) { 3098 freeb(newmp); 3099 return (NULL); 3100 } else { 3101 newmp = lp; 3102 } 3103 } 3104 } else { 3105 freeb(mp); 3106 } 3107 3108 return (newmp); 3109 } 3110 3111 /* 3112 * cryptmodwsrv 3113 * 3114 * Service routine for the write queue. 3115 * 3116 * Because data may be placed in the queue to hold between 3117 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed. 3118 */ 3119 static int 3120 cryptmodwsrv(queue_t *q) 3121 { 3122 mblk_t *mp; 3123 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3124 3125 while ((mp = getq(q)) != NULL) { 3126 switch (mp->b_datap->db_type) { 3127 default: 3128 /* 3129 * wput does not queue anything > QPCTL 3130 */ 3131 if (!canputnext(q) || 3132 !(tmi->ready & CRYPT_WRITE_READY)) { 3133 if (!putbq(q, mp)) { 3134 freemsg(mp); 3135 } 3136 return (0); 3137 } 3138 putnext(q, mp); 3139 break; 3140 case M_DATA: 3141 if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) { 3142 mblk_t *bp; 3143 mblk_t *newmsg = NULL; 3144 3145 /* 3146 * If multiple msgs, concat into 1 3147 * to minimize crypto operations later. 3148 */ 3149 if (mp->b_cont != NULL) { 3150 bp = msgpullup(mp, -1); 3151 if (bp != NULL) { 3152 freemsg(mp); 3153 mp = bp; 3154 } 3155 } 3156 newmsg = encrypt_msgb(q, tmi, mp); 3157 if (newmsg != NULL) 3158 putnext(q, newmsg); 3159 } else { 3160 if (!putbq(q, mp)) { 3161 freemsg(mp); 3162 } 3163 return (0); 3164 } 3165 break; 3166 } 3167 } 3168 return (0); 3169 } 3170 3171 static void 3172 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir) 3173 { 3174 mblk_t *newmp = NULL; 3175 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3176 3177 if (dir == CRYPT_ENCRYPT) { 3178 tmi->ready |= CRYPT_WRITE_READY; 3179 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 3180 "start_stream: restart ENCRYPT/WRITE q")); 3181 3182 enableok(wq); 3183 qenable(wq); 3184 } else if (dir == CRYPT_DECRYPT) { 3185 /* 3186 * put any extra data in the RD 3187 * queue to be processed and 3188 * sent back up. 3189 */ 3190 newmp = mp->b_cont; 3191 mp->b_cont = NULL; 3192 3193 tmi->ready |= CRYPT_READ_READY; 3194 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3195 SL_TRACE|SL_NOTE, 3196 "start_stream: restart " 3197 "DECRYPT/READ q")); 3198 3199 if (newmp != NULL) 3200 if (!putbq(RD(wq), newmp)) 3201 freemsg(newmp); 3202 3203 enableok(RD(wq)); 3204 qenable(RD(wq)); 3205 } 3206 3207 miocack(wq, mp, 0, 0); 3208 } 3209 3210 /* 3211 * Write-side put procedure. Its main task is to detect ioctls and 3212 * FLUSH operations. Other message types are passed on through. 3213 */ 3214 static void 3215 cryptmodwput(queue_t *wq, mblk_t *mp) 3216 { 3217 struct iocblk *iocp; 3218 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3219 int ret, err; 3220 3221 switch (mp->b_datap->db_type) { 3222 case M_DATA: 3223 if (wq->q_first == NULL && canputnext(wq) && 3224 (tmi->ready & CRYPT_WRITE_READY) && 3225 tmi->enc_data.method == CRYPT_METHOD_NONE) { 3226 putnext(wq, mp); 3227 return; 3228 } 3229 /* else, put it in the service queue */ 3230 if (!putq(wq, mp)) { 3231 freemsg(mp); 3232 } 3233 break; 3234 case M_FLUSH: 3235 if (*mp->b_rptr & FLUSHW) { 3236 flushq(wq, FLUSHDATA); 3237 } 3238 putnext(wq, mp); 3239 break; 3240 case M_IOCTL: 3241 iocp = (struct iocblk *)mp->b_rptr; 3242 switch (iocp->ioc_cmd) { 3243 case CRYPTIOCSETUP: 3244 ret = 0; 3245 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3246 SL_TRACE | SL_NOTE, 3247 "wput: got CRYPTIOCSETUP " 3248 "ioctl(%d)", iocp->ioc_cmd)); 3249 3250 if ((err = miocpullup(mp, 3251 sizeof (struct cr_info_t))) != 0) { 3252 cmn_err(CE_WARN, 3253 "wput: miocpullup failed for cr_info_t"); 3254 miocnak(wq, mp, 0, err); 3255 } else { 3256 struct cr_info_t *ci; 3257 ci = (struct cr_info_t *)mp->b_cont->b_rptr; 3258 3259 if (ci->direction_mask & CRYPT_ENCRYPT) { 3260 ret = setup_crypto(ci, &tmi->enc_data, 1); 3261 } 3262 3263 if (ret == 0 && 3264 (ci->direction_mask & CRYPT_DECRYPT)) { 3265 ret = setup_crypto(ci, &tmi->dec_data, 0); 3266 } 3267 if (ret == 0 && 3268 (ci->direction_mask & CRYPT_DECRYPT) && 3269 ANY_RCMD_MODE(tmi->dec_data.option_mask)) { 3270 bzero(&tmi->rcmd_state, 3271 sizeof (tmi->rcmd_state)); 3272 } 3273 if (ret == 0) { 3274 miocack(wq, mp, 0, 0); 3275 } else { 3276 cmn_err(CE_WARN, 3277 "wput: setup_crypto failed"); 3278 miocnak(wq, mp, 0, ret); 3279 } 3280 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3281 SL_TRACE|SL_NOTE, 3282 "wput: done with SETUP " 3283 "ioctl")); 3284 } 3285 break; 3286 case CRYPTIOCSTOP: 3287 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3288 SL_TRACE|SL_NOTE, 3289 "wput: got CRYPTIOCSTOP " 3290 "ioctl(%d)", iocp->ioc_cmd)); 3291 3292 if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) { 3293 cmn_err(CE_WARN, 3294 "wput: CRYPTIOCSTOP ioctl wrong " 3295 "size (%d should be %d)", 3296 (int)iocp->ioc_count, 3297 (int)sizeof (uint32_t)); 3298 miocnak(wq, mp, 0, err); 3299 } else { 3300 uint32_t *stopdir; 3301 3302 stopdir = (uint32_t *)mp->b_cont->b_rptr; 3303 if (!CR_DIRECTION_OK(*stopdir)) { 3304 miocnak(wq, mp, 0, EINVAL); 3305 return; 3306 } 3307 3308 /* disable the queues until further notice */ 3309 if (*stopdir & CRYPT_ENCRYPT) { 3310 noenable(wq); 3311 tmi->ready &= ~CRYPT_WRITE_READY; 3312 } 3313 if (*stopdir & CRYPT_DECRYPT) { 3314 noenable(RD(wq)); 3315 tmi->ready &= ~CRYPT_READ_READY; 3316 } 3317 3318 miocack(wq, mp, 0, 0); 3319 } 3320 break; 3321 case CRYPTIOCSTARTDEC: 3322 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3323 SL_TRACE|SL_NOTE, 3324 "wput: got CRYPTIOCSTARTDEC " 3325 "ioctl(%d)", iocp->ioc_cmd)); 3326 3327 start_stream(wq, mp, CRYPT_DECRYPT); 3328 break; 3329 case CRYPTIOCSTARTENC: 3330 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3331 SL_TRACE|SL_NOTE, 3332 "wput: got CRYPTIOCSTARTENC " 3333 "ioctl(%d)", iocp->ioc_cmd)); 3334 3335 start_stream(wq, mp, CRYPT_ENCRYPT); 3336 break; 3337 default: 3338 putnext(wq, mp); 3339 break; 3340 } 3341 break; 3342 default: 3343 if (queclass(mp) < QPCTL) { 3344 if (wq->q_first != NULL || !canputnext(wq)) { 3345 if (!putq(wq, mp)) 3346 freemsg(mp); 3347 return; 3348 } 3349 } 3350 putnext(wq, mp); 3351 break; 3352 } 3353 } 3354 3355 /* 3356 * decrypt_rcmd_mblks 3357 * 3358 * Because kerberized r* commands(rsh, rlogin, etc) 3359 * use a 4 byte length field to indicate the # of 3360 * PLAINTEXT bytes that are encrypted in the field 3361 * that follows, we must parse out each message and 3362 * break out the length fields prior to sending them 3363 * upstream to our Solaris r* clients/servers which do 3364 * NOT understand this format. 3365 * 3366 * Kerberized/encrypted message format: 3367 * ------------------------------- 3368 * | XXXX | N bytes of ciphertext| 3369 * ------------------------------- 3370 * 3371 * Where: XXXX = number of plaintext bytes that were encrypted in 3372 * to make the ciphertext field. This is done 3373 * because we are using a cipher that pads out to 3374 * an 8 byte boundary. We only want the application 3375 * layer to see the correct number of plain text bytes, 3376 * not plaintext + pad. So, after we decrypt, we 3377 * must trim the output block down to the intended 3378 * plaintext length and eliminate the pad bytes. 3379 * 3380 * This routine takes the entire input message, breaks it into 3381 * a new message that does not contain these length fields and 3382 * returns a message consisting of mblks filled with just ciphertext. 3383 * 3384 */ 3385 static mblk_t * 3386 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp) 3387 { 3388 mblk_t *newmp = NULL; 3389 size_t msglen; 3390 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3391 3392 msglen = msgsize(mp); 3393 3394 /* 3395 * If we need the length field, get it here. 3396 * Test the "plaintext length" indicator. 3397 */ 3398 if (tmi->rcmd_state.pt_len == 0) { 3399 uint32_t elen; 3400 int tocopy; 3401 mblk_t *nextp; 3402 3403 /* 3404 * Make sure we have recieved all 4 bytes of the 3405 * length field. 3406 */ 3407 while (mp != NULL) { 3408 ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t)); 3409 3410 tocopy = sizeof (uint32_t) - 3411 tmi->rcmd_state.cd_len; 3412 if (tocopy > msglen) 3413 tocopy = msglen; 3414 3415 ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp)); 3416 bcopy(mp->b_rptr, 3417 (char *)(&tmi->rcmd_state.next_len + 3418 tmi->rcmd_state.cd_len), tocopy); 3419 3420 tmi->rcmd_state.cd_len += tocopy; 3421 3422 if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) { 3423 tmi->rcmd_state.next_len = 3424 ntohl(tmi->rcmd_state.next_len); 3425 break; 3426 } 3427 3428 nextp = mp->b_cont; 3429 mp->b_cont = NULL; 3430 freeb(mp); 3431 mp = nextp; 3432 } 3433 3434 if (mp == NULL) { 3435 return (NULL); 3436 } 3437 /* 3438 * recalculate the msglen now that we've read the 3439 * length and adjusted the bufptr (b_rptr). 3440 */ 3441 msglen -= tocopy; 3442 mp->b_rptr += tocopy; 3443 3444 tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len; 3445 3446 if (tmi->rcmd_state.pt_len <= 0) { 3447 /* 3448 * Return an IO error to break the connection. there 3449 * is no way to recover from this. Usually it means 3450 * the app has incorrectly requested decryption on 3451 * a non-encrypted stream, thus the "pt_len" field 3452 * is negative. 3453 */ 3454 mp->b_datap->db_type = M_ERROR; 3455 mp->b_rptr = mp->b_datap->db_base; 3456 *mp->b_rptr = EIO; 3457 mp->b_wptr = mp->b_rptr + sizeof (char); 3458 3459 freemsg(mp->b_cont); 3460 mp->b_cont = NULL; 3461 qreply(WR(q), mp); 3462 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3463 return (NULL); 3464 } 3465 3466 /* 3467 * If this is V2 mode, then the encrypted data is actually 3468 * 4 bytes bigger than the indicated len because the plaintext 3469 * length is encrypted for an additional security check, but 3470 * its not counted as part of the overall length we just read. 3471 * Strange and confusing, but true. 3472 */ 3473 3474 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 3475 elen = tmi->rcmd_state.pt_len + 4; 3476 else 3477 elen = tmi->rcmd_state.pt_len; 3478 3479 tmi->rcmd_state.cd_len = encrypt_size(&tmi->dec_data, elen); 3480 3481 /* 3482 * Allocate an mblk to hold the cipher text until it is 3483 * all ready to be processed. 3484 */ 3485 tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len, 3486 BPRI_HI); 3487 if (tmi->rcmd_state.c_msg == NULL) { 3488 #ifdef DEBUG 3489 cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed " 3490 "for %d bytes", 3491 (int)tmi->rcmd_state.cd_len); 3492 #endif 3493 /* 3494 * Return an IO error to break the connection. 3495 */ 3496 mp->b_datap->db_type = M_ERROR; 3497 mp->b_rptr = mp->b_datap->db_base; 3498 *mp->b_rptr = EIO; 3499 mp->b_wptr = mp->b_rptr + sizeof (char); 3500 freemsg(mp->b_cont); 3501 mp->b_cont = NULL; 3502 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3503 qreply(WR(q), mp); 3504 return (NULL); 3505 } 3506 } 3507 3508 /* 3509 * If this entire message was just the length field, 3510 * free and return. The actual data will probably be next. 3511 */ 3512 if (msglen == 0) { 3513 freemsg(mp); 3514 return (NULL); 3515 } 3516 3517 /* 3518 * Copy as much of the cipher text as possible into 3519 * the new msgb (c_msg). 3520 * 3521 * Logic: if we got some bytes (msglen) and we still 3522 * "need" some bytes (len-rcvd), get them here. 3523 */ 3524 ASSERT(tmi->rcmd_state.c_msg != NULL); 3525 if (msglen > 0 && 3526 (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) { 3527 mblk_t *bp, *nextp; 3528 size_t n; 3529 3530 /* 3531 * Walk the mblks and copy just as many bytes as we need 3532 * for this particular block of cipher text. 3533 */ 3534 bp = mp; 3535 while (bp != NULL) { 3536 size_t needed; 3537 size_t tocopy; 3538 n = MBLKL(bp); 3539 3540 needed = tmi->rcmd_state.cd_len - 3541 MBLKL(tmi->rcmd_state.c_msg); 3542 3543 tocopy = (needed >= n ? n : needed); 3544 3545 ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp)); 3546 ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <= 3547 DB_LIM(tmi->rcmd_state.c_msg)); 3548 3549 /* Copy to end of new mblk */ 3550 bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr, 3551 tocopy); 3552 3553 tmi->rcmd_state.c_msg->b_wptr += tocopy; 3554 3555 bp->b_rptr += tocopy; 3556 3557 nextp = bp->b_cont; 3558 3559 /* 3560 * If we used this whole block, free it and 3561 * move on. 3562 */ 3563 if (!MBLKL(bp)) { 3564 freeb(bp); 3565 bp = NULL; 3566 } 3567 3568 /* If we got what we needed, stop the loop */ 3569 if (MBLKL(tmi->rcmd_state.c_msg) == 3570 tmi->rcmd_state.cd_len) { 3571 /* 3572 * If there is more data in the message, 3573 * its for another block of cipher text, 3574 * put it back in the queue for next time. 3575 */ 3576 if (bp) { 3577 if (!putbq(q, bp)) 3578 freemsg(bp); 3579 } else if (nextp != NULL) { 3580 /* 3581 * If there is more, put it back in the 3582 * queue for another pass thru. 3583 */ 3584 if (!putbq(q, nextp)) 3585 freemsg(nextp); 3586 } 3587 break; 3588 } 3589 bp = nextp; 3590 } 3591 } 3592 /* 3593 * Finally, if we received all the cipher text data for 3594 * this message, decrypt it into a new msg and send it up 3595 * to the app. 3596 */ 3597 if (tmi->rcmd_state.pt_len > 0 && 3598 MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) { 3599 mblk_t *bp; 3600 mblk_t *newbp; 3601 3602 /* 3603 * Now we can use our msg that we created when the 3604 * initial message boundary was detected. 3605 */ 3606 bp = tmi->rcmd_state.c_msg; 3607 tmi->rcmd_state.c_msg = NULL; 3608 3609 newbp = do_decrypt(q, bp); 3610 if (newbp != NULL) { 3611 bp = newbp; 3612 /* 3613 * If using RCMD_MODE_V2 ("new" mode), 3614 * look at the 4 byte plaintext length that 3615 * was just decrypted and compare with the 3616 * original pt_len value that was received. 3617 */ 3618 if (tmi->dec_data.option_mask & 3619 CRYPTOPT_RCMD_MODE_V2) { 3620 uint32_t pt_len2; 3621 3622 pt_len2 = *(uint32_t *)bp->b_rptr; 3623 pt_len2 = ntohl(pt_len2); 3624 /* 3625 * Make sure the 2 pt len fields agree. 3626 */ 3627 if (pt_len2 != tmi->rcmd_state.pt_len) { 3628 cmn_err(CE_WARN, 3629 "Inconsistent length fields" 3630 " received %d != %d", 3631 (int)tmi->rcmd_state.pt_len, 3632 (int)pt_len2); 3633 bp->b_datap->db_type = M_ERROR; 3634 bp->b_rptr = bp->b_datap->db_base; 3635 *bp->b_rptr = EIO; 3636 bp->b_wptr = bp->b_rptr + sizeof (char); 3637 freemsg(bp->b_cont); 3638 bp->b_cont = NULL; 3639 tmi->rcmd_state.cd_len = 0; 3640 qreply(WR(q), bp); 3641 return (NULL); 3642 } 3643 bp->b_rptr += sizeof (uint32_t); 3644 } 3645 3646 /* 3647 * Trim the decrypted block the length originally 3648 * indicated by the sender. This is to remove any 3649 * padding bytes that the sender added to satisfy 3650 * requirements of the crypto algorithm. 3651 */ 3652 bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len; 3653 3654 newmp = bp; 3655 3656 /* 3657 * Reset our state to indicate we are ready 3658 * for a new message. 3659 */ 3660 tmi->rcmd_state.pt_len = 0; 3661 tmi->rcmd_state.cd_len = 0; 3662 } else { 3663 #ifdef DEBUG 3664 cmn_err(CE_WARN, 3665 "decrypt_rcmd: do_decrypt on %d bytes failed", 3666 (int)tmi->rcmd_state.cd_len); 3667 #endif 3668 /* 3669 * do_decrypt already handled failures, just 3670 * return NULL. 3671 */ 3672 tmi->rcmd_state.pt_len = 0; 3673 tmi->rcmd_state.cd_len = 0; 3674 return (NULL); 3675 } 3676 } 3677 3678 /* 3679 * return the new message with the 'length' fields removed 3680 */ 3681 return (newmp); 3682 } 3683 3684 /* 3685 * cryptmodrsrv 3686 * 3687 * Read queue service routine 3688 * Necessary because if the ready flag is not set 3689 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data 3690 * must remain on queue and not be passed along. 3691 */ 3692 static int 3693 cryptmodrsrv(queue_t *q) 3694 { 3695 mblk_t *mp, *bp; 3696 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3697 3698 while ((mp = getq(q)) != NULL) { 3699 switch (mp->b_datap->db_type) { 3700 case M_DATA: 3701 if (canputnext(q) && tmi->ready & CRYPT_READ_READY) { 3702 /* 3703 * Process "rcmd" messages differently because 3704 * they contain a 4 byte plaintext length 3705 * id that needs to be removed. 3706 */ 3707 if (tmi->dec_data.method != CRYPT_METHOD_NONE && 3708 (tmi->dec_data.option_mask & 3709 (CRYPTOPT_RCMD_MODE_V1 | 3710 CRYPTOPT_RCMD_MODE_V2))) { 3711 mp = decrypt_rcmd_mblks(q, mp); 3712 if (mp) 3713 putnext(q, mp); 3714 continue; 3715 } 3716 if ((bp = msgpullup(mp, -1)) != NULL) { 3717 freemsg(mp); 3718 if (MBLKL(bp) > 0) { 3719 mp = do_decrypt(q, bp); 3720 if (mp != NULL) 3721 putnext(q, mp); 3722 } 3723 } 3724 } else { 3725 if (!putbq(q, mp)) { 3726 freemsg(mp); 3727 } 3728 return (0); 3729 } 3730 break; 3731 default: 3732 /* 3733 * rput does not queue anything > QPCTL, so we don't 3734 * need to check for it here. 3735 */ 3736 if (!canputnext(q)) { 3737 if (!putbq(q, mp)) 3738 freemsg(mp); 3739 return (0); 3740 } 3741 putnext(q, mp); 3742 break; 3743 } 3744 } 3745 return (0); 3746 } 3747 3748 3749 /* 3750 * Read-side put procedure. 3751 */ 3752 static void 3753 cryptmodrput(queue_t *rq, mblk_t *mp) 3754 { 3755 switch (mp->b_datap->db_type) { 3756 case M_DATA: 3757 if (!putq(rq, mp)) { 3758 freemsg(mp); 3759 } 3760 break; 3761 case M_FLUSH: 3762 if (*mp->b_rptr & FLUSHR) { 3763 flushq(rq, FLUSHALL); 3764 } 3765 putnext(rq, mp); 3766 break; 3767 default: 3768 if (queclass(mp) < QPCTL) { 3769 if (rq->q_first != NULL || !canputnext(rq)) { 3770 if (!putq(rq, mp)) 3771 freemsg(mp); 3772 return; 3773 } 3774 } 3775 putnext(rq, mp); 3776 break; 3777 } 3778 } 3779