1 /* 2 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 * 5 * STREAMS Crypto Module 6 * 7 * This module is used to facilitate Kerberos encryption 8 * operations for the telnet daemon and rlogin daemon. 9 * Because the Solaris telnet and rlogin daemons run mostly 10 * in-kernel via 'telmod' and 'rlmod', this module must be 11 * pushed on the STREAM *below* telmod or rlmod. 12 * 13 * Parts of the 3DES key derivation code are covered by the 14 * following copyright. 15 * 16 * Copyright (C) 1998 by the FundsXpress, INC. 17 * 18 * All rights reserved. 19 * 20 * Export of this software from the United States of America may require 21 * a specific license from the United States Government. It is the 22 * responsibility of any person or organization contemplating export to 23 * obtain such a license before exporting. 24 * 25 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 26 * distribute this software and its documentation for any purpose and 27 * without fee is hereby granted, provided that the above copyright 28 * notice appear in all copies and that both that copyright notice and 29 * this permission notice appear in supporting documentation, and that 30 * the name of FundsXpress. not be used in advertising or publicity pertaining 31 * to distribution of the software without specific, written prior 32 * permission. FundsXpress makes no representations about the suitability of 33 * this software for any purpose. It is provided "as is" without express 34 * or implied warranty. 35 * 36 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 37 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 38 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 39 */ 40 #pragma ident "%Z%%M% %I% %E% SMI" 41 42 #include <sys/types.h> 43 #include <sys/sysmacros.h> 44 #include <sys/errno.h> 45 #include <sys/debug.h> 46 #include <sys/time.h> 47 #include <sys/stropts.h> 48 #include <sys/stream.h> 49 #include <sys/strsubr.h> 50 #include <sys/strlog.h> 51 #include <sys/cmn_err.h> 52 #include <sys/conf.h> 53 #include <sys/sunddi.h> 54 #include <sys/kmem.h> 55 #include <sys/strsun.h> 56 #include <sys/random.h> 57 #include <sys/types.h> 58 #include <sys/byteorder.h> 59 #include <sys/cryptmod.h> 60 #include <sys/crc32.h> 61 #include <sys/policy.h> 62 63 #include <sys/crypto/api.h> 64 65 #include <sys/strft.h> 66 /* 67 * Function prototypes. 68 */ 69 static int cryptmodopen(queue_t *, dev_t *, int, int, cred_t *); 70 static void cryptmodrput(queue_t *, mblk_t *); 71 static void cryptmodwput(queue_t *, mblk_t *); 72 static int cryptmodclose(queue_t *); 73 static int cryptmodwsrv(queue_t *); 74 static int cryptmodrsrv(queue_t *); 75 76 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp); 77 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp); 78 79 #define CRYPTMOD_ID 5150 80 81 #define CFB_BLKSZ 8 82 83 #define K5CLENGTH 5 84 85 static struct module_info cryptmod_minfo = { 86 CRYPTMOD_ID, /* mi_idnum */ 87 "cryptmod", /* mi_idname */ 88 0, /* mi_minpsz */ 89 INFPSZ, /* mi_maxpsz */ 90 65536, /* mi_hiwat */ 91 1024 /* mi_lowat */ 92 }; 93 94 static struct qinit cryptmod_rinit = { 95 (int (*)())cryptmodrput, /* qi_putp */ 96 cryptmodrsrv, /* qi_svc */ 97 cryptmodopen, /* qi_qopen */ 98 cryptmodclose, /* qi_qclose */ 99 NULL, /* qi_qadmin */ 100 &cryptmod_minfo, /* qi_minfo */ 101 NULL /* qi_mstat */ 102 }; 103 104 static struct qinit cryptmod_winit = { 105 (int (*)())cryptmodwput, /* qi_putp */ 106 cryptmodwsrv, /* qi_srvp */ 107 NULL, /* qi_qopen */ 108 NULL, /* qi_qclose */ 109 NULL, /* qi_qadmin */ 110 &cryptmod_minfo, /* qi_minfo */ 111 NULL /* qi_mstat */ 112 }; 113 114 static struct streamtab cryptmod_info = { 115 &cryptmod_rinit, /* st_rdinit */ 116 &cryptmod_winit, /* st_wrinit */ 117 NULL, /* st_muxrinit */ 118 NULL /* st_muxwinit */ 119 }; 120 121 typedef struct { 122 uint_t hash_len; 123 uint_t confound_len; 124 int (*hashfunc)(); 125 } hash_info_t; 126 127 #define MAX_CKSUM_LEN 20 128 #define CONFOUNDER_LEN 8 129 130 #define SHA1_HASHSIZE 20 131 #define MD5_HASHSIZE 16 132 #define CRC32_HASHSIZE 4 133 #define MSGBUF_SIZE 4096 134 #define CONFOUNDER_BYTES 128 135 136 137 static int crc32_calc(uchar_t *, uchar_t *, uint_t); 138 static int md5_calc(uchar_t *, uchar_t *, uint_t); 139 static int sha1_calc(uchar_t *, uchar_t *, uint_t); 140 141 static hash_info_t null_hash = {0, 0, NULL}; 142 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc}; 143 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc}; 144 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc}; 145 146 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID; 147 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID; 148 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID; 149 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID; 150 151 static int kef_crypt(struct cipher_data_t *, void *, 152 crypto_data_format_t, size_t, int); 153 static mblk_t * 154 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *, 155 mblk_t *, hash_info_t *); 156 static mblk_t * 157 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *, 158 mblk_t *, hash_info_t *); 159 160 static int 161 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int); 162 163 /* 164 * This is the loadable module wrapper. 165 */ 166 #include <sys/modctl.h> 167 168 static struct fmodsw fsw = { 169 "cryptmod", 170 &cryptmod_info, 171 D_MP | D_MTQPAIR 172 }; 173 174 /* 175 * Module linkage information for the kernel. 176 */ 177 static struct modlstrmod modlstrmod = { 178 &mod_strmodops, 179 "STREAMS encryption module %I%", 180 &fsw 181 }; 182 183 static struct modlinkage modlinkage = { 184 MODREV_1, 185 &modlstrmod, 186 NULL 187 }; 188 189 int 190 _init(void) 191 { 192 return (mod_install(&modlinkage)); 193 } 194 195 int 196 _fini(void) 197 { 198 return (mod_remove(&modlinkage)); 199 } 200 201 int 202 _info(struct modinfo *modinfop) 203 { 204 return (mod_info(&modlinkage, modinfop)); 205 } 206 207 static void 208 cleanup(struct cipher_data_t *cd) 209 { 210 if (cd->key != NULL) { 211 bzero(cd->key, cd->keylen); 212 kmem_free(cd->key, cd->keylen); 213 cd->key = NULL; 214 } 215 216 if (cd->ckey != NULL) { 217 /* 218 * ckey is a crypto_key_t structure which references 219 * "cd->key" for its raw key data. Since that was already 220 * cleared out, we don't need another "bzero" here. 221 */ 222 kmem_free(cd->ckey, sizeof (crypto_key_t)); 223 cd->ckey = NULL; 224 } 225 226 if (cd->block != NULL) { 227 kmem_free(cd->block, cd->blocklen); 228 cd->block = NULL; 229 } 230 231 if (cd->saveblock != NULL) { 232 kmem_free(cd->saveblock, cd->blocklen); 233 cd->saveblock = NULL; 234 } 235 236 if (cd->ivec != NULL) { 237 kmem_free(cd->ivec, cd->ivlen); 238 cd->ivec = NULL; 239 } 240 241 if (cd->d_encr_key.ck_data != NULL) { 242 bzero(cd->d_encr_key.ck_data, cd->keylen); 243 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 244 } 245 246 if (cd->d_hmac_key.ck_data != NULL) { 247 bzero(cd->d_hmac_key.ck_data, cd->keylen); 248 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 249 } 250 251 if (cd->enc_tmpl != NULL) 252 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 253 254 if (cd->hmac_tmpl != NULL) 255 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 256 257 if (cd->ctx != NULL) { 258 crypto_cancel_ctx(cd->ctx); 259 cd->ctx = NULL; 260 } 261 } 262 263 /* ARGSUSED */ 264 static int 265 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp) 266 { 267 struct tmodinfo *tmi; 268 ASSERT(rq); 269 270 if (sflag != MODOPEN) 271 return (EINVAL); 272 273 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 274 "cryptmodopen: opening module(PID %d)", 275 ddi_get_pid())); 276 277 if (rq->q_ptr != NULL) { 278 cmn_err(CE_WARN, "cryptmodopen: already opened"); 279 return (0); 280 } 281 282 /* 283 * Allocate and initialize per-Stream structure. 284 */ 285 tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo), 286 KM_SLEEP); 287 288 tmi->enc_data.method = CRYPT_METHOD_NONE; 289 tmi->dec_data.method = CRYPT_METHOD_NONE; 290 291 tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY); 292 293 rq->q_ptr = WR(rq)->q_ptr = tmi; 294 295 sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC); 296 md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC); 297 sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1); 298 md5_hash_mech = crypto_mech2id(SUN_CKM_MD5); 299 300 qprocson(rq); 301 302 return (0); 303 } 304 305 static int 306 cryptmodclose(queue_t *rq) 307 { 308 struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr; 309 ASSERT(tmi); 310 311 qprocsoff(rq); 312 313 cleanup(&tmi->enc_data); 314 cleanup(&tmi->dec_data); 315 316 kmem_free(tmi, sizeof (struct tmodinfo)); 317 rq->q_ptr = WR(rq)->q_ptr = NULL; 318 319 return (0); 320 } 321 322 /* 323 * plaintext_offset 324 * 325 * Calculate exactly how much space is needed in front 326 * of the "plaintext" in an mbuf so it can be positioned 327 * 1 time instead of potentially moving the data multiple 328 * times. 329 */ 330 static int 331 plaintext_offset(struct cipher_data_t *cd) 332 { 333 int headspace = 0; 334 335 /* 4 byte length prepended to all RCMD msgs */ 336 if (ANY_RCMD_MODE(cd->option_mask)) 337 headspace += RCMD_LEN_SZ; 338 339 /* RCMD V2 mode adds an additional 4 byte plaintext length */ 340 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2) 341 headspace += RCMD_LEN_SZ; 342 343 /* Need extra space for hash and counfounder */ 344 switch (cd->method) { 345 case CRYPT_METHOD_DES_CBC_NULL: 346 headspace += null_hash.hash_len + null_hash.confound_len; 347 break; 348 case CRYPT_METHOD_DES_CBC_CRC: 349 headspace += crc32_hash.hash_len + crc32_hash.confound_len; 350 break; 351 case CRYPT_METHOD_DES_CBC_MD5: 352 headspace += md5_hash.hash_len + md5_hash.confound_len; 353 break; 354 case CRYPT_METHOD_DES3_CBC_SHA1: 355 headspace += sha1_hash.confound_len; 356 break; 357 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 358 headspace += md5_hash.hash_len + md5_hash.confound_len; 359 break; 360 case CRYPT_METHOD_AES128: 361 case CRYPT_METHOD_AES256: 362 headspace += DEFAULT_AES_BLOCKLEN; 363 break; 364 case CRYPT_METHOD_DES_CFB: 365 case CRYPT_METHOD_NONE: 366 break; 367 } 368 369 return (headspace); 370 } 371 /* 372 * encrypt_size 373 * 374 * Calculate the resulting size when encrypting 'plainlen' bytes 375 * of data. 376 */ 377 static size_t 378 encrypt_size(struct cipher_data_t *cd, size_t plainlen) 379 { 380 size_t cipherlen; 381 382 switch (cd->method) { 383 case CRYPT_METHOD_DES_CBC_NULL: 384 cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len + 385 plainlen, 8); 386 break; 387 case CRYPT_METHOD_DES_CBC_MD5: 388 cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len + 389 md5_hash.confound_len + 390 plainlen, 8); 391 break; 392 case CRYPT_METHOD_DES_CBC_CRC: 393 cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len + 394 crc32_hash.confound_len + 395 plainlen, 8); 396 break; 397 case CRYPT_METHOD_DES3_CBC_SHA1: 398 cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len + 399 plainlen, 8) + 400 sha1_hash.hash_len; 401 break; 402 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 403 cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len + 404 plainlen, 1) + md5_hash.hash_len; 405 break; 406 case CRYPT_METHOD_AES128: 407 case CRYPT_METHOD_AES256: 408 /* No roundup for AES-CBC-CTS */ 409 cipherlen = DEFAULT_AES_BLOCKLEN + plainlen + 410 AES_TRUNCATED_HMAC_LEN; 411 break; 412 case CRYPT_METHOD_DES_CFB: 413 case CRYPT_METHOD_NONE: 414 cipherlen = plainlen; 415 break; 416 } 417 418 return (cipherlen); 419 } 420 421 /* 422 * des_cfb_encrypt 423 * 424 * Encrypt the mblk data using DES with cipher feedback. 425 * 426 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit 427 * vector, D[n] is the nth chunk of 64 bits of data to encrypt 428 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted 429 * (decrypted) data, then: 430 * 431 * V[0] = DES(V[i], key) 432 * O[n] = D[n] <exclusive or > V[n] 433 * V[n+1] = DES(O[n], key) 434 * 435 * The size of the message being encrypted does not change in this 436 * algorithm, num_bytes in == num_bytes out. 437 */ 438 static mblk_t * 439 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 440 { 441 int savedbytes; 442 char *iptr, *optr, *lastoutput; 443 444 lastoutput = optr = (char *)mp->b_rptr; 445 iptr = (char *)mp->b_rptr; 446 savedbytes = tmi->enc_data.bytes % CFB_BLKSZ; 447 448 while (iptr < (char *)mp->b_wptr) { 449 /* 450 * Do DES-ECB. 451 * The first time this runs, the 'tmi->enc_data.block' will 452 * contain the initialization vector that should have been 453 * passed in with the SETUP ioctl. 454 * 455 * V[n] = DES(V[n-1], key) 456 */ 457 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 458 int retval = 0; 459 retval = kef_crypt(&tmi->enc_data, 460 tmi->enc_data.block, 461 CRYPTO_DATA_RAW, 462 tmi->enc_data.blocklen, 463 CRYPT_ENCRYPT); 464 465 if (retval != CRYPTO_SUCCESS) { 466 #ifdef DEBUG 467 cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt " 468 "failed - error 0x%0x", retval); 469 #endif 470 mp->b_datap->db_type = M_ERROR; 471 mp->b_rptr = mp->b_datap->db_base; 472 *mp->b_rptr = EIO; 473 mp->b_wptr = mp->b_rptr + sizeof (char); 474 freemsg(mp->b_cont); 475 mp->b_cont = NULL; 476 qreply(WR(q), mp); 477 return (NULL); 478 } 479 } 480 481 /* O[n] = I[n] ^ V[n] */ 482 *(optr++) = *(iptr++) ^ 483 tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ]; 484 485 tmi->enc_data.bytes++; 486 /* 487 * Feedback the encrypted output as the input to next DES call. 488 */ 489 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 490 char *dbptr = tmi->enc_data.block; 491 /* 492 * Get the last bits of input from the previous 493 * msg block that we haven't yet used as feedback input. 494 */ 495 if (savedbytes > 0) { 496 bcopy(tmi->enc_data.saveblock, 497 dbptr, (size_t)savedbytes); 498 dbptr += savedbytes; 499 } 500 501 /* 502 * Now copy the correct bytes from the current input 503 * stream and update the 'lastoutput' ptr 504 */ 505 bcopy(lastoutput, dbptr, 506 (size_t)(CFB_BLKSZ - savedbytes)); 507 508 lastoutput += (CFB_BLKSZ - savedbytes); 509 savedbytes = 0; 510 } 511 } 512 /* 513 * If there are bytes of input here that we need in the next 514 * block to build an ivec, save them off here. 515 */ 516 if (lastoutput < optr) { 517 bcopy(lastoutput, 518 tmi->enc_data.saveblock + savedbytes, 519 (uint_t)(optr - lastoutput)); 520 } 521 return (mp); 522 } 523 524 /* 525 * des_cfb_decrypt 526 * 527 * Decrypt the data in the mblk using DES in Cipher Feedback mode 528 * 529 * # bytes in == # bytes out, no padding, confounding, or hashing 530 * is added. 531 * 532 */ 533 static mblk_t * 534 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 535 { 536 uint_t len; 537 uint_t savedbytes; 538 char *iptr; 539 char *lastinput; 540 uint_t cp; 541 542 len = MBLKL(mp); 543 544 /* decrypted output goes into the new data buffer */ 545 lastinput = iptr = (char *)mp->b_rptr; 546 547 savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen; 548 549 /* 550 * Save the input CFB_BLKSZ bytes at a time. 551 * We are trying to decrypt in-place, but need to keep 552 * a small sliding window of encrypted text to be 553 * used to construct the feedback buffer. 554 */ 555 cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len : 556 tmi->dec_data.blocklen - savedbytes); 557 558 bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp); 559 savedbytes += cp; 560 561 lastinput += cp; 562 563 while (iptr < (char *)mp->b_wptr) { 564 /* 565 * Do DES-ECB. 566 * The first time this runs, the 'tmi->dec_data.block' will 567 * contain the initialization vector that should have been 568 * passed in with the SETUP ioctl. 569 */ 570 if (!(tmi->dec_data.bytes % CFB_BLKSZ)) { 571 int retval; 572 retval = kef_crypt(&tmi->dec_data, 573 tmi->dec_data.block, 574 CRYPTO_DATA_RAW, 575 tmi->dec_data.blocklen, 576 CRYPT_ENCRYPT); 577 578 if (retval != CRYPTO_SUCCESS) { 579 #ifdef DEBUG 580 cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt " 581 "failed - status 0x%0x", retval); 582 #endif 583 mp->b_datap->db_type = M_ERROR; 584 mp->b_rptr = mp->b_datap->db_base; 585 *mp->b_rptr = EIO; 586 mp->b_wptr = mp->b_rptr + sizeof (char); 587 freemsg(mp->b_cont); 588 mp->b_cont = NULL; 589 qreply(WR(q), mp); 590 return (NULL); 591 } 592 } 593 594 /* 595 * To decrypt, XOR the input with the output from the DES call 596 */ 597 *(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes % 598 CFB_BLKSZ]; 599 600 tmi->dec_data.bytes++; 601 602 /* 603 * Feedback the encrypted input for next DES call. 604 */ 605 if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) { 606 char *dbptr = tmi->dec_data.block; 607 /* 608 * Get the last bits of input from the previous block 609 * that we haven't yet processed. 610 */ 611 if (savedbytes > 0) { 612 bcopy(tmi->dec_data.saveblock, 613 dbptr, savedbytes); 614 dbptr += savedbytes; 615 } 616 617 savedbytes = 0; 618 619 /* 620 * This block makes sure that our local 621 * buffer of input data is full and can 622 * be accessed from the beginning. 623 */ 624 if (lastinput < (char *)mp->b_wptr) { 625 626 /* How many bytes are left in the mblk? */ 627 cp = (((char *)mp->b_wptr - lastinput) > 628 tmi->dec_data.blocklen ? 629 tmi->dec_data.blocklen : 630 (char *)mp->b_wptr - lastinput); 631 632 /* copy what we need */ 633 bcopy(lastinput, tmi->dec_data.saveblock, 634 cp); 635 636 lastinput += cp; 637 savedbytes = cp; 638 } 639 } 640 } 641 642 return (mp); 643 } 644 645 /* 646 * crc32_calc 647 * 648 * Compute a CRC32 checksum on the input 649 */ 650 static int 651 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len) 652 { 653 uint32_t crc; 654 655 CRC32(crc, input, len, 0, crc32_table); 656 657 buf[0] = (uchar_t)(crc & 0xff); 658 buf[1] = (uchar_t)((crc >> 8) & 0xff); 659 buf[2] = (uchar_t)((crc >> 16) & 0xff); 660 buf[3] = (uchar_t)((crc >> 24) & 0xff); 661 662 return (CRYPTO_SUCCESS); 663 } 664 665 static int 666 kef_digest(crypto_mech_type_t digest_type, 667 uchar_t *input, uint_t inlen, 668 uchar_t *output, uint_t hashlen) 669 { 670 iovec_t v1, v2; 671 crypto_data_t d1, d2; 672 crypto_mechanism_t mech; 673 int rv; 674 675 mech.cm_type = digest_type; 676 mech.cm_param = 0; 677 mech.cm_param_len = 0; 678 679 v1.iov_base = (void *)input; 680 v1.iov_len = inlen; 681 682 d1.cd_format = CRYPTO_DATA_RAW; 683 d1.cd_offset = 0; 684 d1.cd_length = v1.iov_len; 685 d1.cd_raw = v1; 686 687 v2.iov_base = (void *)output; 688 v2.iov_len = hashlen; 689 690 d2.cd_format = CRYPTO_DATA_RAW; 691 d2.cd_offset = 0; 692 d2.cd_length = v2.iov_len; 693 d2.cd_raw = v2; 694 695 rv = crypto_digest(&mech, &d1, &d2, NULL); 696 697 return (rv); 698 } 699 700 /* 701 * sha1_calc 702 * 703 * Get a SHA1 hash on the input data. 704 */ 705 static int 706 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen) 707 { 708 int rv; 709 710 rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE); 711 712 return (rv); 713 } 714 715 /* 716 * Get an MD5 hash on the input data. 717 * md5_calc 718 * 719 */ 720 static int 721 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen) 722 { 723 int rv; 724 725 rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE); 726 727 return (rv); 728 } 729 730 /* 731 * nfold 732 * duplicate the functionality of the krb5_nfold function from 733 * the userland kerberos mech. 734 * This is needed to derive keys for use with 3DES/SHA1-HMAC 735 * ciphers. 736 */ 737 static void 738 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out) 739 { 740 int a, b, c, lcm; 741 int byte, i, msbit; 742 743 inbits >>= 3; 744 outbits >>= 3; 745 746 /* first compute lcm(n,k) */ 747 a = outbits; 748 b = inbits; 749 750 while (b != 0) { 751 c = b; 752 b = a%b; 753 a = c; 754 } 755 756 lcm = outbits*inbits/a; 757 758 /* now do the real work */ 759 760 bzero(out, outbits); 761 byte = 0; 762 763 /* 764 * Compute the msbit in k which gets added into this byte 765 * first, start with the msbit in the first, unrotated byte 766 * then, for each byte, shift to the right for each repetition 767 * last, pick out the correct byte within that shifted repetition 768 */ 769 for (i = lcm-1; i >= 0; i--) { 770 msbit = (((inbits<<3)-1) 771 +(((inbits<<3)+13)*(i/inbits)) 772 +((inbits-(i%inbits))<<3)) %(inbits<<3); 773 774 /* pull out the byte value itself */ 775 byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)| 776 (in[((inbits)-(msbit>>3))%inbits])) 777 >>((msbit&7)+1))&0xff; 778 779 /* do the addition */ 780 byte += out[i%outbits]; 781 out[i%outbits] = byte&0xff; 782 783 byte >>= 8; 784 } 785 786 /* if there's a carry bit left over, add it back in */ 787 if (byte) { 788 for (i = outbits-1; i >= 0; i--) { 789 /* do the addition */ 790 byte += out[i]; 791 out[i] = byte&0xff; 792 793 /* keep around the carry bit, if any */ 794 byte >>= 8; 795 } 796 } 797 } 798 799 #define smask(step) ((1<<step)-1) 800 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step))) 801 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1) 802 803 /* 804 * Duplicate the functionality of the "dk_derive_key" function 805 * in the Kerberos mechanism. 806 */ 807 static int 808 derive_key(struct cipher_data_t *cdata, uchar_t *constdata, 809 int constlen, char *dkey, int keybytes, 810 int blocklen) 811 { 812 int rv = 0; 813 int n = 0, i; 814 char *inblock; 815 char *rawkey; 816 char *zeroblock; 817 char *saveblock; 818 819 inblock = kmem_zalloc(blocklen, KM_SLEEP); 820 rawkey = kmem_zalloc(keybytes, KM_SLEEP); 821 zeroblock = kmem_zalloc(blocklen, KM_SLEEP); 822 823 if (constlen == blocklen) 824 bcopy(constdata, inblock, blocklen); 825 else 826 nfold(constlen * 8, constdata, 827 blocklen * 8, (uchar_t *)inblock); 828 829 /* 830 * zeroblock is an IV of all 0's. 831 * 832 * The "block" section of the cdata record is used as the 833 * IV for crypto operations in the kef_crypt function. 834 * 835 * We use 'block' as a generic IV data buffer because it 836 * is attached to the stream state data and thus can 837 * be used to hold information that must carry over 838 * from processing of one mblk to another. 839 * 840 * Here, we save the current IV and replace it with 841 * and empty IV (all 0's) for use when deriving the 842 * keys. Once the key derivation is done, we swap the 843 * old IV back into place. 844 */ 845 saveblock = cdata->block; 846 cdata->block = zeroblock; 847 848 while (n < keybytes) { 849 rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW, 850 blocklen, CRYPT_ENCRYPT); 851 if (rv != CRYPTO_SUCCESS) { 852 /* put the original IV block back in place */ 853 cdata->block = saveblock; 854 cmn_err(CE_WARN, "failed to derive a key: %0x", rv); 855 goto cleanup; 856 } 857 858 if (keybytes - n < blocklen) { 859 bcopy(inblock, rawkey+n, (keybytes-n)); 860 break; 861 } 862 bcopy(inblock, rawkey+n, blocklen); 863 n += blocklen; 864 } 865 /* put the original IV block back in place */ 866 cdata->block = saveblock; 867 868 /* finally, make the key */ 869 if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) { 870 /* 871 * 3DES key derivation requires that we make sure the 872 * key has the proper parity. 873 */ 874 for (i = 0; i < 3; i++) { 875 bcopy(rawkey+(i*7), dkey+(i*8), 7); 876 877 /* 'dkey' is our derived key output buffer */ 878 dkey[i*8+7] = (((dkey[i*8]&1)<<1) | 879 ((dkey[i*8+1]&1)<<2) | 880 ((dkey[i*8+2]&1)<<3) | 881 ((dkey[i*8+3]&1)<<4) | 882 ((dkey[i*8+4]&1)<<5) | 883 ((dkey[i*8+5]&1)<<6) | 884 ((dkey[i*8+6]&1)<<7)); 885 886 for (n = 0; n < 8; n++) { 887 dkey[i*8 + n] &= 0xfe; 888 dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]); 889 } 890 } 891 } else if (IS_AES_METHOD(cdata->method)) { 892 bcopy(rawkey, dkey, keybytes); 893 } 894 cleanup: 895 kmem_free(inblock, blocklen); 896 kmem_free(zeroblock, blocklen); 897 kmem_free(rawkey, keybytes); 898 return (rv); 899 } 900 901 /* 902 * create_derived_keys 903 * 904 * Algorithm for deriving a new key and an HMAC key 905 * before computing the 3DES-SHA1-HMAC operation on the plaintext 906 * This algorithm matches the work done by Kerberos mechanism 907 * in userland. 908 */ 909 static int 910 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage, 911 crypto_key_t *enckey, crypto_key_t *hmackey) 912 { 913 uchar_t constdata[K5CLENGTH]; 914 int keybytes; 915 int rv; 916 917 constdata[0] = (usage>>24)&0xff; 918 constdata[1] = (usage>>16)&0xff; 919 constdata[2] = (usage>>8)&0xff; 920 constdata[3] = usage & 0xff; 921 /* Use "0xAA" for deriving encryption key */ 922 constdata[4] = 0xAA; /* from MIT Kerberos code */ 923 924 enckey->ck_length = cdata->keylen * 8; 925 enckey->ck_format = CRYPTO_KEY_RAW; 926 enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 927 928 switch (cdata->method) { 929 case CRYPT_METHOD_DES_CFB: 930 case CRYPT_METHOD_DES_CBC_NULL: 931 case CRYPT_METHOD_DES_CBC_MD5: 932 case CRYPT_METHOD_DES_CBC_CRC: 933 keybytes = 8; 934 break; 935 case CRYPT_METHOD_DES3_CBC_SHA1: 936 keybytes = CRYPT_DES3_KEYBYTES; 937 break; 938 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 939 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 940 keybytes = CRYPT_ARCFOUR_KEYBYTES; 941 break; 942 case CRYPT_METHOD_AES128: 943 keybytes = CRYPT_AES128_KEYBYTES; 944 break; 945 case CRYPT_METHOD_AES256: 946 keybytes = CRYPT_AES256_KEYBYTES; 947 break; 948 } 949 950 /* derive main crypto key */ 951 rv = derive_key(cdata, constdata, sizeof (constdata), 952 enckey->ck_data, keybytes, cdata->blocklen); 953 954 if (rv == CRYPTO_SUCCESS) { 955 956 /* Use "0x55" for deriving mac key */ 957 constdata[4] = 0x55; 958 959 hmackey->ck_length = cdata->keylen * 8; 960 hmackey->ck_format = CRYPTO_KEY_RAW; 961 hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 962 963 rv = derive_key(cdata, constdata, sizeof (constdata), 964 hmackey->ck_data, keybytes, 965 cdata->blocklen); 966 } else { 967 cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv); 968 } 969 970 return (rv); 971 } 972 973 /* 974 * Compute 3-DES crypto and HMAC. 975 */ 976 static int 977 kef_decr_hmac(struct cipher_data_t *cdata, 978 mblk_t *mp, int length, 979 char *hmac, int hmaclen) 980 { 981 int rv = CRYPTO_FAILED; 982 983 crypto_mechanism_t encr_mech; 984 crypto_mechanism_t mac_mech; 985 crypto_data_t dd; 986 crypto_data_t mac; 987 iovec_t v1; 988 989 ASSERT(cdata != NULL); 990 ASSERT(mp != NULL); 991 ASSERT(hmac != NULL); 992 993 bzero(&dd, sizeof (dd)); 994 dd.cd_format = CRYPTO_DATA_MBLK; 995 dd.cd_offset = 0; 996 dd.cd_length = length; 997 dd.cd_mp = mp; 998 999 v1.iov_base = hmac; 1000 v1.iov_len = hmaclen; 1001 1002 mac.cd_format = CRYPTO_DATA_RAW; 1003 mac.cd_offset = 0; 1004 mac.cd_length = hmaclen; 1005 mac.cd_raw = v1; 1006 1007 /* 1008 * cdata->block holds the IVEC 1009 */ 1010 encr_mech.cm_type = cdata->mech_type; 1011 encr_mech.cm_param = cdata->block; 1012 1013 if (cdata->block != NULL) 1014 encr_mech.cm_param_len = cdata->blocklen; 1015 else 1016 encr_mech.cm_param_len = 0; 1017 1018 rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key, 1019 cdata->enc_tmpl, NULL, NULL); 1020 if (rv != CRYPTO_SUCCESS) { 1021 cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv); 1022 return (rv); 1023 } 1024 1025 mac_mech.cm_type = sha1_hmac_mech; 1026 mac_mech.cm_param = NULL; 1027 mac_mech.cm_param_len = 0; 1028 1029 /* 1030 * Compute MAC of the plaintext decrypted above. 1031 */ 1032 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1033 cdata->hmac_tmpl, &mac, NULL); 1034 1035 if (rv != CRYPTO_SUCCESS) { 1036 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1037 } 1038 1039 return (rv); 1040 } 1041 1042 /* 1043 * Compute 3-DES crypto and HMAC. 1044 */ 1045 static int 1046 kef_encr_hmac(struct cipher_data_t *cdata, 1047 mblk_t *mp, int length, 1048 char *hmac, int hmaclen) 1049 { 1050 int rv = CRYPTO_FAILED; 1051 1052 crypto_mechanism_t encr_mech; 1053 crypto_mechanism_t mac_mech; 1054 crypto_data_t dd; 1055 crypto_data_t mac; 1056 iovec_t v1; 1057 1058 ASSERT(cdata != NULL); 1059 ASSERT(mp != NULL); 1060 ASSERT(hmac != NULL); 1061 1062 bzero(&dd, sizeof (dd)); 1063 dd.cd_format = CRYPTO_DATA_MBLK; 1064 dd.cd_offset = 0; 1065 dd.cd_length = length; 1066 dd.cd_mp = mp; 1067 1068 v1.iov_base = hmac; 1069 v1.iov_len = hmaclen; 1070 1071 mac.cd_format = CRYPTO_DATA_RAW; 1072 mac.cd_offset = 0; 1073 mac.cd_length = hmaclen; 1074 mac.cd_raw = v1; 1075 1076 /* 1077 * cdata->block holds the IVEC 1078 */ 1079 encr_mech.cm_type = cdata->mech_type; 1080 encr_mech.cm_param = cdata->block; 1081 1082 if (cdata->block != NULL) 1083 encr_mech.cm_param_len = cdata->blocklen; 1084 else 1085 encr_mech.cm_param_len = 0; 1086 1087 mac_mech.cm_type = sha1_hmac_mech; 1088 mac_mech.cm_param = NULL; 1089 mac_mech.cm_param_len = 0; 1090 1091 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1092 cdata->hmac_tmpl, &mac, NULL); 1093 1094 if (rv != CRYPTO_SUCCESS) { 1095 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1096 return (rv); 1097 } 1098 1099 rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key, 1100 cdata->enc_tmpl, NULL, NULL); 1101 if (rv != CRYPTO_SUCCESS) { 1102 cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv); 1103 } 1104 1105 return (rv); 1106 } 1107 1108 /* 1109 * kef_crypt 1110 * 1111 * Use the Kernel encryption framework to provide the 1112 * crypto operations for the indicated data. 1113 */ 1114 static int 1115 kef_crypt(struct cipher_data_t *cdata, 1116 void *indata, crypto_data_format_t fmt, 1117 size_t length, int mode) 1118 { 1119 int rv = CRYPTO_FAILED; 1120 1121 crypto_mechanism_t mech; 1122 crypto_key_t crkey; 1123 iovec_t v1; 1124 crypto_data_t d1; 1125 1126 ASSERT(cdata != NULL); 1127 ASSERT(indata != NULL); 1128 ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK); 1129 1130 bzero(&crkey, sizeof (crkey)); 1131 bzero(&d1, sizeof (d1)); 1132 1133 crkey.ck_format = CRYPTO_KEY_RAW; 1134 crkey.ck_data = cdata->key; 1135 1136 /* keys are measured in bits, not bytes, so multiply by 8 */ 1137 crkey.ck_length = cdata->keylen * 8; 1138 1139 if (fmt == CRYPTO_DATA_RAW) { 1140 v1.iov_base = (char *)indata; 1141 v1.iov_len = length; 1142 } 1143 1144 d1.cd_format = fmt; 1145 d1.cd_offset = 0; 1146 d1.cd_length = length; 1147 if (fmt == CRYPTO_DATA_RAW) 1148 d1.cd_raw = v1; 1149 else if (fmt == CRYPTO_DATA_MBLK) 1150 d1.cd_mp = (mblk_t *)indata; 1151 1152 mech.cm_type = cdata->mech_type; 1153 mech.cm_param = cdata->block; 1154 /* 1155 * cdata->block holds the IVEC 1156 */ 1157 if (cdata->block != NULL) 1158 mech.cm_param_len = cdata->blocklen; 1159 else 1160 mech.cm_param_len = 0; 1161 1162 /* 1163 * encrypt and decrypt in-place 1164 */ 1165 if (mode == CRYPT_ENCRYPT) 1166 rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1167 else 1168 rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1169 1170 if (rv != CRYPTO_SUCCESS) { 1171 cmn_err(CE_WARN, "%s returned error %08x", 1172 (mode == CRYPT_ENCRYPT ? "crypto_encrypt" : 1173 "crypto_decrypt"), rv); 1174 return (CRYPTO_FAILED); 1175 } 1176 1177 return (rv); 1178 } 1179 1180 static int 1181 do_hmac(crypto_mech_type_t mech, 1182 crypto_key_t *key, 1183 char *data, int datalen, 1184 char *hmac, int hmaclen) 1185 { 1186 int rv = 0; 1187 crypto_mechanism_t mac_mech; 1188 crypto_data_t dd; 1189 crypto_data_t mac; 1190 iovec_t vdata, vmac; 1191 1192 mac_mech.cm_type = mech; 1193 mac_mech.cm_param = NULL; 1194 mac_mech.cm_param_len = 0; 1195 1196 vdata.iov_base = data; 1197 vdata.iov_len = datalen; 1198 1199 bzero(&dd, sizeof (dd)); 1200 dd.cd_format = CRYPTO_DATA_RAW; 1201 dd.cd_offset = 0; 1202 dd.cd_length = datalen; 1203 dd.cd_raw = vdata; 1204 1205 vmac.iov_base = hmac; 1206 vmac.iov_len = hmaclen; 1207 1208 mac.cd_format = CRYPTO_DATA_RAW; 1209 mac.cd_offset = 0; 1210 mac.cd_length = hmaclen; 1211 mac.cd_raw = vmac; 1212 1213 /* 1214 * Compute MAC of the plaintext decrypted above. 1215 */ 1216 rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL); 1217 1218 if (rv != CRYPTO_SUCCESS) { 1219 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1220 } 1221 1222 return (rv); 1223 } 1224 1225 #define XOR_BLOCK(src, dst) \ 1226 (dst)[0] ^= (src)[0]; \ 1227 (dst)[1] ^= (src)[1]; \ 1228 (dst)[2] ^= (src)[2]; \ 1229 (dst)[3] ^= (src)[3]; \ 1230 (dst)[4] ^= (src)[4]; \ 1231 (dst)[5] ^= (src)[5]; \ 1232 (dst)[6] ^= (src)[6]; \ 1233 (dst)[7] ^= (src)[7]; \ 1234 (dst)[8] ^= (src)[8]; \ 1235 (dst)[9] ^= (src)[9]; \ 1236 (dst)[10] ^= (src)[10]; \ 1237 (dst)[11] ^= (src)[11]; \ 1238 (dst)[12] ^= (src)[12]; \ 1239 (dst)[13] ^= (src)[13]; \ 1240 (dst)[14] ^= (src)[14]; \ 1241 (dst)[15] ^= (src)[15] 1242 1243 #define xorblock(x, y) XOR_BLOCK(y, x) 1244 1245 static int 1246 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length) 1247 { 1248 int result = CRYPTO_SUCCESS; 1249 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1250 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1251 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1252 int nblocks = 0, blockno; 1253 crypto_data_t ct, pt; 1254 crypto_mechanism_t mech; 1255 1256 mech.cm_type = tmi->enc_data.mech_type; 1257 if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) { 1258 bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1259 mech.cm_param = tmi->enc_data.ivec; 1260 mech.cm_param_len = tmi->enc_data.ivlen; 1261 } else { 1262 bzero(tmp, sizeof (tmp)); 1263 mech.cm_param = NULL; 1264 mech.cm_param_len = 0; 1265 } 1266 1267 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1268 1269 bzero(&ct, sizeof (crypto_data_t)); 1270 bzero(&pt, sizeof (crypto_data_t)); 1271 1272 if (nblocks == 1) { 1273 pt.cd_format = CRYPTO_DATA_RAW; 1274 pt.cd_length = length; 1275 pt.cd_raw.iov_base = (char *)plain; 1276 pt.cd_raw.iov_len = length; 1277 1278 result = crypto_encrypt(&mech, &pt, 1279 &tmi->enc_data.d_encr_key, NULL, NULL, NULL); 1280 1281 if (result != CRYPTO_SUCCESS) { 1282 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1283 "crypto_encrypt failed: %0x", result); 1284 } 1285 } else { 1286 size_t nleft; 1287 1288 ct.cd_format = CRYPTO_DATA_RAW; 1289 ct.cd_offset = 0; 1290 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1291 1292 pt.cd_format = CRYPTO_DATA_RAW; 1293 pt.cd_offset = 0; 1294 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1295 1296 result = crypto_encrypt_init(&mech, 1297 &tmi->enc_data.d_encr_key, 1298 tmi->enc_data.enc_tmpl, 1299 &tmi->enc_data.ctx, NULL); 1300 1301 if (result != CRYPTO_SUCCESS) { 1302 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1303 "crypto_encrypt_init failed: %0x", result); 1304 goto cleanup; 1305 } 1306 1307 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1308 xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN); 1309 1310 pt.cd_raw.iov_base = (char *)tmp; 1311 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1312 1313 ct.cd_raw.iov_base = (char *)plain + 1314 blockno * DEFAULT_AES_BLOCKLEN; 1315 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1316 1317 result = crypto_encrypt_update(tmi->enc_data.ctx, 1318 &pt, &ct, NULL); 1319 1320 if (result != CRYPTO_SUCCESS) { 1321 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1322 "crypto_encrypt_update failed: %0x", 1323 result); 1324 goto cleanup; 1325 } 1326 /* copy result over original bytes */ 1327 /* make another copy for the next XOR step */ 1328 bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN, 1329 tmp, DEFAULT_AES_BLOCKLEN); 1330 } 1331 /* XOR cipher text from n-3 with plain text from n-2 */ 1332 xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1333 1334 pt.cd_raw.iov_base = (char *)tmp; 1335 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1336 1337 ct.cd_raw.iov_base = (char *)tmp2; 1338 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1339 1340 /* encrypt XOR-ed block N-2 */ 1341 result = crypto_encrypt_update(tmi->enc_data.ctx, 1342 &pt, &ct, NULL); 1343 if (result != CRYPTO_SUCCESS) { 1344 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1345 "crypto_encrypt_update(2) failed: %0x", 1346 result); 1347 goto cleanup; 1348 } 1349 nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN; 1350 1351 bzero(tmp3, sizeof (tmp3)); 1352 /* Save final plaintext bytes from n-1 */ 1353 bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1354 nleft); 1355 1356 /* Overwrite n-1 with cipher text from n-2 */ 1357 bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1358 nleft); 1359 1360 bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN); 1361 /* XOR cipher text from n-1 with plain text from n-1 */ 1362 xorblock(tmp, tmp3); 1363 1364 pt.cd_raw.iov_base = (char *)tmp; 1365 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1366 1367 ct.cd_raw.iov_base = (char *)tmp2; 1368 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1369 1370 /* encrypt block N-2 */ 1371 result = crypto_encrypt_update(tmi->enc_data.ctx, 1372 &pt, &ct, NULL); 1373 1374 if (result != CRYPTO_SUCCESS) { 1375 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1376 "crypto_encrypt_update(3) failed: %0x", 1377 result); 1378 goto cleanup; 1379 } 1380 1381 bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1382 DEFAULT_AES_BLOCKLEN); 1383 1384 1385 ct.cd_raw.iov_base = (char *)tmp2; 1386 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1387 1388 /* 1389 * Ignore the output on the final step. 1390 */ 1391 result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL); 1392 if (result != CRYPTO_SUCCESS) { 1393 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1394 "crypto_encrypt_final(3) failed: %0x", 1395 result); 1396 } 1397 tmi->enc_data.ctx = NULL; 1398 } 1399 cleanup: 1400 bzero(tmp, sizeof (tmp)); 1401 bzero(tmp2, sizeof (tmp)); 1402 bzero(tmp3, sizeof (tmp)); 1403 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 1404 return (result); 1405 } 1406 1407 static int 1408 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length) 1409 { 1410 int result = CRYPTO_SUCCESS; 1411 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1412 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1413 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1414 int nblocks = 0, blockno; 1415 crypto_data_t ct, pt; 1416 crypto_mechanism_t mech; 1417 1418 mech.cm_type = tmi->enc_data.mech_type; 1419 1420 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1421 tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) { 1422 bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1423 mech.cm_param = tmi->dec_data.ivec; 1424 mech.cm_param_len = tmi->dec_data.ivlen; 1425 } else { 1426 bzero(tmp, sizeof (tmp)); 1427 mech.cm_param_len = 0; 1428 mech.cm_param = NULL; 1429 } 1430 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1431 1432 bzero(&pt, sizeof (pt)); 1433 bzero(&ct, sizeof (ct)); 1434 1435 if (nblocks == 1) { 1436 ct.cd_format = CRYPTO_DATA_RAW; 1437 ct.cd_length = length; 1438 ct.cd_raw.iov_base = (char *)buff; 1439 ct.cd_raw.iov_len = length; 1440 1441 result = crypto_decrypt(&mech, &ct, 1442 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1443 1444 if (result != CRYPTO_SUCCESS) { 1445 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1446 "crypto_decrypt failed: %0x", result); 1447 goto cleanup; 1448 } 1449 } else { 1450 ct.cd_format = CRYPTO_DATA_RAW; 1451 ct.cd_offset = 0; 1452 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1453 1454 pt.cd_format = CRYPTO_DATA_RAW; 1455 pt.cd_offset = 0; 1456 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1457 1458 result = crypto_encrypt_init(&mech, 1459 &tmi->dec_data.d_encr_key, 1460 tmi->dec_data.enc_tmpl, 1461 &tmi->dec_data.ctx, NULL); 1462 1463 if (result != CRYPTO_SUCCESS) { 1464 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1465 "crypto_decrypt_init failed: %0x", result); 1466 goto cleanup; 1467 } 1468 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1469 ct.cd_raw.iov_base = (char *)buff + 1470 (blockno * DEFAULT_AES_BLOCKLEN); 1471 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1472 1473 pt.cd_raw.iov_base = (char *)tmp2; 1474 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1475 1476 /* 1477 * Save the input to the decrypt so it can 1478 * be used later for an XOR operation 1479 */ 1480 bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN), 1481 tmi->dec_data.block, DEFAULT_AES_BLOCKLEN); 1482 1483 result = crypto_decrypt_update(tmi->dec_data.ctx, 1484 &ct, &pt, NULL); 1485 if (result != CRYPTO_SUCCESS) { 1486 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1487 "crypto_decrypt_update(1) error - " 1488 "result = 0x%08x", result); 1489 goto cleanup; 1490 } 1491 xorblock(tmp2, tmp); 1492 bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN, 1493 DEFAULT_AES_BLOCKLEN); 1494 /* 1495 * The original cipher text is used as the xor 1496 * for the next block, save it here. 1497 */ 1498 bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN); 1499 } 1500 ct.cd_raw.iov_base = (char *)buff + 1501 ((nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1502 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1503 pt.cd_raw.iov_base = (char *)tmp2; 1504 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1505 1506 result = crypto_decrypt_update(tmi->dec_data.ctx, 1507 &ct, &pt, NULL); 1508 if (result != CRYPTO_SUCCESS) { 1509 cmn_err(CE_WARN, 1510 "aes_cbc_cts_decrypt: " 1511 "crypto_decrypt_update(2) error -" 1512 " result = 0x%08x", result); 1513 goto cleanup; 1514 } 1515 bzero(tmp3, sizeof (tmp3)); 1516 bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1517 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1518 1519 xorblock(tmp2, tmp3); 1520 bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1521 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1522 1523 /* 2nd to last block ... */ 1524 bcopy(tmp3, tmp2, 1525 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1526 1527 ct.cd_raw.iov_base = (char *)tmp2; 1528 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1529 pt.cd_raw.iov_base = (char *)tmp3; 1530 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1531 1532 result = crypto_decrypt_update(tmi->dec_data.ctx, 1533 &ct, &pt, NULL); 1534 if (result != CRYPTO_SUCCESS) { 1535 cmn_err(CE_WARN, 1536 "aes_cbc_cts_decrypt: " 1537 "crypto_decrypt_update(3) error - " 1538 "result = 0x%08x", result); 1539 goto cleanup; 1540 } 1541 xorblock(tmp3, tmp); 1542 1543 1544 /* Finally, update the 2nd to last block and we are done. */ 1545 bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1546 DEFAULT_AES_BLOCKLEN); 1547 1548 /* Do Final step, but ignore output */ 1549 pt.cd_raw.iov_base = (char *)tmp2; 1550 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1551 result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL); 1552 if (result != CRYPTO_SUCCESS) { 1553 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1554 "crypto_decrypt_final error - " 1555 "result = 0x%0x", result); 1556 } 1557 tmi->dec_data.ctx = NULL; 1558 } 1559 1560 cleanup: 1561 bzero(tmp, sizeof (tmp)); 1562 bzero(tmp2, sizeof (tmp)); 1563 bzero(tmp3, sizeof (tmp)); 1564 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 1565 return (result); 1566 } 1567 1568 /* 1569 * AES decrypt 1570 * 1571 * format of ciphertext when using AES 1572 * +-------------+------------+------------+ 1573 * | confounder | msg-data | hmac | 1574 * +-------------+------------+------------+ 1575 */ 1576 static mblk_t * 1577 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1578 hash_info_t *hash) 1579 { 1580 int result; 1581 size_t enclen; 1582 size_t inlen; 1583 uchar_t hmacbuff[64]; 1584 uchar_t tmpiv[DEFAULT_AES_BLOCKLEN]; 1585 1586 inlen = (size_t)MBLKL(mp); 1587 1588 enclen = inlen - AES_TRUNCATED_HMAC_LEN; 1589 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1590 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) { 1591 int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) / 1592 DEFAULT_AES_BLOCKLEN; 1593 bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2), 1594 tmpiv, DEFAULT_AES_BLOCKLEN); 1595 } 1596 1597 /* AES Decrypt */ 1598 result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen); 1599 1600 if (result != CRYPTO_SUCCESS) { 1601 cmn_err(CE_WARN, 1602 "aes_decrypt: aes_cbc_cts_decrypt " 1603 "failed - error %0x", result); 1604 goto cleanup; 1605 } 1606 1607 /* Verify the HMAC */ 1608 result = do_hmac(sha1_hmac_mech, 1609 &tmi->dec_data.d_hmac_key, 1610 (char *)mp->b_rptr, enclen, 1611 (char *)hmacbuff, hash->hash_len); 1612 1613 if (result != CRYPTO_SUCCESS) { 1614 cmn_err(CE_WARN, 1615 "aes_decrypt: do_hmac failed - error %0x", result); 1616 goto cleanup; 1617 } 1618 1619 if (bcmp(hmacbuff, mp->b_rptr + enclen, 1620 AES_TRUNCATED_HMAC_LEN) != 0) { 1621 result = -1; 1622 cmn_err(CE_WARN, "aes_decrypt: checksum verification failed"); 1623 goto cleanup; 1624 } 1625 1626 /* truncate the mblk at the end of the decrypted text */ 1627 mp->b_wptr = mp->b_rptr + enclen; 1628 1629 /* Adjust the beginning of the buffer to skip the confounder */ 1630 mp->b_rptr += DEFAULT_AES_BLOCKLEN; 1631 1632 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1633 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) 1634 bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN); 1635 1636 cleanup: 1637 if (result != CRYPTO_SUCCESS) { 1638 mp->b_datap->db_type = M_ERROR; 1639 mp->b_rptr = mp->b_datap->db_base; 1640 *mp->b_rptr = EIO; 1641 mp->b_wptr = mp->b_rptr + sizeof (char); 1642 freemsg(mp->b_cont); 1643 mp->b_cont = NULL; 1644 qreply(WR(q), mp); 1645 return (NULL); 1646 } 1647 return (mp); 1648 } 1649 1650 /* 1651 * AES encrypt 1652 * 1653 * format of ciphertext when using AES 1654 * +-------------+------------+------------+ 1655 * | confounder | msg-data | hmac | 1656 * +-------------+------------+------------+ 1657 */ 1658 static mblk_t * 1659 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1660 hash_info_t *hash) 1661 { 1662 int result; 1663 size_t cipherlen; 1664 size_t inlen; 1665 uchar_t hmacbuff[64]; 1666 1667 inlen = (size_t)MBLKL(mp); 1668 1669 cipherlen = encrypt_size(&tmi->enc_data, inlen); 1670 1671 ASSERT(MBLKSIZE(mp) >= cipherlen); 1672 1673 /* 1674 * Shift the rptr back enough to insert the confounder. 1675 */ 1676 mp->b_rptr -= DEFAULT_AES_BLOCKLEN; 1677 1678 /* Get random data for confounder */ 1679 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 1680 DEFAULT_AES_BLOCKLEN); 1681 1682 /* 1683 * Because we encrypt in-place, we need to calculate 1684 * the HMAC of the plaintext now, then stick it on 1685 * the end of the ciphertext down below. 1686 */ 1687 result = do_hmac(sha1_hmac_mech, 1688 &tmi->enc_data.d_hmac_key, 1689 (char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen, 1690 (char *)hmacbuff, hash->hash_len); 1691 1692 if (result != CRYPTO_SUCCESS) { 1693 cmn_err(CE_WARN, "aes_encrypt: do_hmac failed - error %0x", 1694 result); 1695 goto cleanup; 1696 } 1697 /* Encrypt using AES-CBC-CTS */ 1698 result = aes_cbc_cts_encrypt(tmi, mp->b_rptr, 1699 inlen + DEFAULT_AES_BLOCKLEN); 1700 1701 if (result != CRYPTO_SUCCESS) { 1702 cmn_err(CE_WARN, "aes_encrypt: aes_cbc_cts_encrypt " 1703 "failed - error %0x", result); 1704 goto cleanup; 1705 } 1706 1707 /* copy the truncated HMAC to the end of the mblk */ 1708 bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen, 1709 AES_TRUNCATED_HMAC_LEN); 1710 1711 mp->b_wptr = mp->b_rptr + cipherlen; 1712 1713 /* 1714 * The final block of cipher text (not the HMAC) is used 1715 * as the next IV. 1716 */ 1717 if (tmi->enc_data.ivec_usage != IVEC_NEVER && 1718 tmi->enc_data.ivec != NULL) { 1719 int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) / 1720 DEFAULT_AES_BLOCKLEN; 1721 1722 bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1723 tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN); 1724 } 1725 1726 cleanup: 1727 if (result != CRYPTO_SUCCESS) { 1728 mp->b_datap->db_type = M_ERROR; 1729 mp->b_rptr = mp->b_datap->db_base; 1730 *mp->b_rptr = EIO; 1731 mp->b_wptr = mp->b_rptr + sizeof (char); 1732 freemsg(mp->b_cont); 1733 mp->b_cont = NULL; 1734 qreply(WR(q), mp); 1735 return (NULL); 1736 } 1737 return (mp); 1738 } 1739 1740 /* 1741 * ARCFOUR-HMAC-MD5 decrypt 1742 * 1743 * format of ciphertext when using ARCFOUR-HMAC-MD5 1744 * +-----------+------------+------------+ 1745 * | hmac | confounder | msg-data | 1746 * +-----------+------------+------------+ 1747 * 1748 */ 1749 static mblk_t * 1750 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1751 hash_info_t *hash) 1752 { 1753 int result; 1754 size_t cipherlen; 1755 size_t inlen; 1756 size_t saltlen; 1757 crypto_key_t k1, k2; 1758 crypto_data_t indata; 1759 iovec_t v1; 1760 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1761 0xab, 0xab, 0xab, 0xab }; 1762 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1763 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1764 uchar_t cksum[MD5_HASHSIZE]; 1765 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1766 crypto_mechanism_t mech; 1767 int usage; 1768 1769 /* The usage constant is 1026 for all "old" rcmd mode operations */ 1770 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 1771 usage = RCMDV1_USAGE; 1772 else 1773 usage = ARCFOUR_DECRYPT_USAGE; 1774 1775 /* 1776 * The size at this point should be the size of 1777 * all the plaintext plus the optional plaintext length 1778 * needed for RCMD V2 mode. There should also be room 1779 * at the head of the mblk for the confounder and hash info. 1780 */ 1781 inlen = (size_t)MBLKL(mp); 1782 1783 /* 1784 * The cipherlen does not include the HMAC at the 1785 * head of the buffer. 1786 */ 1787 cipherlen = inlen - hash->hash_len; 1788 1789 ASSERT(MBLKSIZE(mp) >= cipherlen); 1790 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1791 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 1792 saltdata[9] = 0; 1793 saltdata[10] = usage & 0xff; 1794 saltdata[11] = (usage >> 8) & 0xff; 1795 saltdata[12] = (usage >> 16) & 0xff; 1796 saltdata[13] = (usage >> 24) & 0xff; 1797 saltlen = 14; 1798 } else { 1799 saltdata[0] = usage & 0xff; 1800 saltdata[1] = (usage >> 8) & 0xff; 1801 saltdata[2] = (usage >> 16) & 0xff; 1802 saltdata[3] = (usage >> 24) & 0xff; 1803 saltlen = 4; 1804 } 1805 /* 1806 * Use the salt value to create a key to be used 1807 * for subsequent HMAC operations. 1808 */ 1809 result = do_hmac(md5_hmac_mech, 1810 tmi->dec_data.ckey, 1811 (char *)saltdata, saltlen, 1812 (char *)k1data, sizeof (k1data)); 1813 if (result != CRYPTO_SUCCESS) { 1814 cmn_err(CE_WARN, 1815 "arcfour_hmac_md5_decrypt: do_hmac(k1)" 1816 "failed - error %0x", result); 1817 goto cleanup; 1818 } 1819 bcopy(k1data, k2data, sizeof (k1data)); 1820 1821 /* 1822 * For the neutered MS RC4 encryption type, 1823 * set the trailing 9 bytes to 0xab per the 1824 * RC4-HMAC spec. 1825 */ 1826 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1827 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 1828 } 1829 1830 mech.cm_type = tmi->dec_data.mech_type; 1831 mech.cm_param = NULL; 1832 mech.cm_param_len = 0; 1833 1834 /* 1835 * If we have not yet initialized the decryption key, 1836 * context, and template, do it now. 1837 */ 1838 if (tmi->dec_data.ctx == NULL || 1839 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 1840 k1.ck_format = CRYPTO_KEY_RAW; 1841 k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8; 1842 k1.ck_data = k1data; 1843 1844 tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW; 1845 tmi->dec_data.d_encr_key.ck_length = k1.ck_length; 1846 if (tmi->dec_data.d_encr_key.ck_data == NULL) 1847 tmi->dec_data.d_encr_key.ck_data = kmem_zalloc( 1848 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 1849 1850 /* 1851 * HMAC operation creates the encryption 1852 * key to be used for the decrypt operations. 1853 */ 1854 result = do_hmac(md5_hmac_mech, &k1, 1855 (char *)mp->b_rptr, hash->hash_len, 1856 (char *)tmi->dec_data.d_encr_key.ck_data, 1857 CRYPT_ARCFOUR_KEYBYTES); 1858 1859 1860 if (result != CRYPTO_SUCCESS) { 1861 cmn_err(CE_WARN, 1862 "arcfour_hmac_md5_decrypt: do_hmac(k3)" 1863 "failed - error %0x", result); 1864 goto cleanup; 1865 } 1866 } 1867 1868 tmi->dec_data.enc_tmpl = NULL; 1869 1870 if (tmi->dec_data.ctx == NULL && 1871 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 1872 /* 1873 * Only create a template if we are doing 1874 * chaining from block to block. 1875 */ 1876 result = crypto_create_ctx_template(&mech, 1877 &tmi->dec_data.d_encr_key, 1878 &tmi->dec_data.enc_tmpl, 1879 KM_SLEEP); 1880 if (result == CRYPTO_NOT_SUPPORTED) { 1881 tmi->dec_data.enc_tmpl = NULL; 1882 } else if (result != CRYPTO_SUCCESS) { 1883 cmn_err(CE_WARN, 1884 "arcfour_hmac_md5_decrypt: " 1885 "failed to create dec template " 1886 "for RC4 encrypt: %0x", result); 1887 goto cleanup; 1888 } 1889 1890 result = crypto_decrypt_init(&mech, 1891 &tmi->dec_data.d_encr_key, 1892 tmi->dec_data.enc_tmpl, 1893 &tmi->dec_data.ctx, NULL); 1894 1895 if (result != CRYPTO_SUCCESS) { 1896 cmn_err(CE_WARN, "crypto_decrypt_init failed:" 1897 " %0x", result); 1898 goto cleanup; 1899 } 1900 } 1901 1902 /* adjust the rptr so we don't decrypt the original hmac field */ 1903 1904 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 1905 v1.iov_len = cipherlen; 1906 1907 indata.cd_format = CRYPTO_DATA_RAW; 1908 indata.cd_offset = 0; 1909 indata.cd_length = cipherlen; 1910 indata.cd_raw = v1; 1911 1912 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 1913 result = crypto_decrypt_update(tmi->dec_data.ctx, 1914 &indata, NULL, NULL); 1915 else 1916 result = crypto_decrypt(&mech, &indata, 1917 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1918 1919 if (result != CRYPTO_SUCCESS) { 1920 cmn_err(CE_WARN, "crypto_decrypt_update failed:" 1921 " %0x", result); 1922 goto cleanup; 1923 } 1924 1925 k2.ck_format = CRYPTO_KEY_RAW; 1926 k2.ck_length = sizeof (k2data) * 8; 1927 k2.ck_data = k2data; 1928 1929 result = do_hmac(md5_hmac_mech, 1930 &k2, 1931 (char *)mp->b_rptr + hash->hash_len, cipherlen, 1932 (char *)cksum, hash->hash_len); 1933 1934 if (result != CRYPTO_SUCCESS) { 1935 cmn_err(CE_WARN, 1936 "arcfour_hmac_md5_decrypt: do_hmac(k2)" 1937 "failed - error %0x", result); 1938 goto cleanup; 1939 } 1940 1941 if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) { 1942 cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed"); 1943 result = -1; 1944 goto cleanup; 1945 } 1946 1947 /* 1948 * adjust the start of the mblk to skip over the 1949 * hash and confounder. 1950 */ 1951 mp->b_rptr += hash->hash_len + hash->confound_len; 1952 1953 cleanup: 1954 bzero(k1data, sizeof (k1data)); 1955 bzero(k2data, sizeof (k2data)); 1956 bzero(cksum, sizeof (cksum)); 1957 bzero(saltdata, sizeof (saltdata)); 1958 if (result != CRYPTO_SUCCESS) { 1959 mp->b_datap->db_type = M_ERROR; 1960 mp->b_rptr = mp->b_datap->db_base; 1961 *mp->b_rptr = EIO; 1962 mp->b_wptr = mp->b_rptr + sizeof (char); 1963 freemsg(mp->b_cont); 1964 mp->b_cont = NULL; 1965 qreply(WR(q), mp); 1966 return (NULL); 1967 } 1968 return (mp); 1969 } 1970 1971 /* 1972 * ARCFOUR-HMAC-MD5 encrypt 1973 * 1974 * format of ciphertext when using ARCFOUR-HMAC-MD5 1975 * +-----------+------------+------------+ 1976 * | hmac | confounder | msg-data | 1977 * +-----------+------------+------------+ 1978 * 1979 */ 1980 static mblk_t * 1981 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1982 hash_info_t *hash) 1983 { 1984 int result; 1985 size_t cipherlen; 1986 size_t inlen; 1987 size_t saltlen; 1988 crypto_key_t k1, k2; 1989 crypto_data_t indata; 1990 iovec_t v1; 1991 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1992 0xab, 0xab, 0xab, 0xab }; 1993 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1994 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1995 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1996 crypto_mechanism_t mech; 1997 int usage; 1998 1999 /* The usage constant is 1026 for all "old" rcmd mode operations */ 2000 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 2001 usage = RCMDV1_USAGE; 2002 else 2003 usage = ARCFOUR_ENCRYPT_USAGE; 2004 2005 mech.cm_type = tmi->enc_data.mech_type; 2006 mech.cm_param = NULL; 2007 mech.cm_param_len = 0; 2008 2009 /* 2010 * The size at this point should be the size of 2011 * all the plaintext plus the optional plaintext length 2012 * needed for RCMD V2 mode. There should also be room 2013 * at the head of the mblk for the confounder and hash info. 2014 */ 2015 inlen = (size_t)MBLKL(mp); 2016 2017 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2018 2019 ASSERT(MBLKSIZE(mp) >= cipherlen); 2020 2021 /* 2022 * Shift the rptr back enough to insert 2023 * the confounder and hash. 2024 */ 2025 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2026 2027 /* zero out the hash area */ 2028 bzero(mp->b_rptr, (size_t)hash->hash_len); 2029 2030 if (cipherlen > inlen) { 2031 bzero(mp->b_wptr, MBLKTAIL(mp)); 2032 } 2033 2034 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2035 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 2036 saltdata[9] = 0; 2037 saltdata[10] = usage & 0xff; 2038 saltdata[11] = (usage >> 8) & 0xff; 2039 saltdata[12] = (usage >> 16) & 0xff; 2040 saltdata[13] = (usage >> 24) & 0xff; 2041 saltlen = 14; 2042 } else { 2043 saltdata[0] = usage & 0xff; 2044 saltdata[1] = (usage >> 8) & 0xff; 2045 saltdata[2] = (usage >> 16) & 0xff; 2046 saltdata[3] = (usage >> 24) & 0xff; 2047 saltlen = 4; 2048 } 2049 /* 2050 * Use the salt value to create a key to be used 2051 * for subsequent HMAC operations. 2052 */ 2053 result = do_hmac(md5_hmac_mech, 2054 tmi->enc_data.ckey, 2055 (char *)saltdata, saltlen, 2056 (char *)k1data, sizeof (k1data)); 2057 if (result != CRYPTO_SUCCESS) { 2058 cmn_err(CE_WARN, 2059 "arcfour_hmac_md5_encrypt: do_hmac(k1)" 2060 "failed - error %0x", result); 2061 goto cleanup; 2062 } 2063 2064 bcopy(k1data, k2data, sizeof (k2data)); 2065 2066 /* 2067 * For the neutered MS RC4 encryption type, 2068 * set the trailing 9 bytes to 0xab per the 2069 * RC4-HMAC spec. 2070 */ 2071 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2072 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 2073 } 2074 2075 /* 2076 * Get the confounder bytes. 2077 */ 2078 (void) random_get_pseudo_bytes( 2079 (uint8_t *)(mp->b_rptr + hash->hash_len), 2080 (size_t)hash->confound_len); 2081 2082 k2.ck_data = k2data; 2083 k2.ck_format = CRYPTO_KEY_RAW; 2084 k2.ck_length = sizeof (k2data) * 8; 2085 2086 /* 2087 * This writes the HMAC to the hash area in the 2088 * mblk. The key used is the one just created by 2089 * the previous HMAC operation. 2090 * The data being processed is the confounder bytes 2091 * PLUS the input plaintext. 2092 */ 2093 result = do_hmac(md5_hmac_mech, &k2, 2094 (char *)mp->b_rptr + hash->hash_len, 2095 hash->confound_len + inlen, 2096 (char *)mp->b_rptr, hash->hash_len); 2097 if (result != CRYPTO_SUCCESS) { 2098 cmn_err(CE_WARN, 2099 "arcfour_hmac_md5_encrypt: do_hmac(k2)" 2100 "failed - error %0x", result); 2101 goto cleanup; 2102 } 2103 /* 2104 * Because of the odd way that MIT uses RC4 keys 2105 * on the rlogin stream, we only need to create 2106 * this key once. 2107 * However, if using "old" rcmd mode, we need to do 2108 * it every time. 2109 */ 2110 if (tmi->enc_data.ctx == NULL || 2111 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 2112 crypto_key_t *key = &tmi->enc_data.d_encr_key; 2113 2114 k1.ck_data = k1data; 2115 k1.ck_format = CRYPTO_KEY_RAW; 2116 k1.ck_length = sizeof (k1data) * 8; 2117 2118 key->ck_format = CRYPTO_KEY_RAW; 2119 key->ck_length = k1.ck_length; 2120 if (key->ck_data == NULL) 2121 key->ck_data = kmem_zalloc( 2122 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 2123 2124 /* 2125 * The final HMAC operation creates the encryption 2126 * key to be used for the encrypt operation. 2127 */ 2128 result = do_hmac(md5_hmac_mech, &k1, 2129 (char *)mp->b_rptr, hash->hash_len, 2130 (char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES); 2131 2132 if (result != CRYPTO_SUCCESS) { 2133 cmn_err(CE_WARN, 2134 "arcfour_hmac_md5_encrypt: do_hmac(k3)" 2135 "failed - error %0x", result); 2136 goto cleanup; 2137 } 2138 } 2139 2140 /* 2141 * If the context has not been initialized, do it now. 2142 */ 2143 if (tmi->enc_data.ctx == NULL && 2144 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 2145 /* 2146 * Only create a template if we are doing 2147 * chaining from block to block. 2148 */ 2149 result = crypto_create_ctx_template(&mech, 2150 &tmi->enc_data.d_encr_key, 2151 &tmi->enc_data.enc_tmpl, 2152 KM_SLEEP); 2153 if (result == CRYPTO_NOT_SUPPORTED) { 2154 tmi->enc_data.enc_tmpl = NULL; 2155 } else if (result != CRYPTO_SUCCESS) { 2156 cmn_err(CE_WARN, "failed to create enc template " 2157 "for RC4 encrypt: %0x", result); 2158 goto cleanup; 2159 } 2160 2161 result = crypto_encrypt_init(&mech, 2162 &tmi->enc_data.d_encr_key, 2163 tmi->enc_data.enc_tmpl, 2164 &tmi->enc_data.ctx, NULL); 2165 if (result != CRYPTO_SUCCESS) { 2166 cmn_err(CE_WARN, "crypto_encrypt_init failed:" 2167 " %0x", result); 2168 goto cleanup; 2169 } 2170 } 2171 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 2172 v1.iov_len = hash->confound_len + inlen; 2173 2174 indata.cd_format = CRYPTO_DATA_RAW; 2175 indata.cd_offset = 0; 2176 indata.cd_length = hash->confound_len + inlen; 2177 indata.cd_raw = v1; 2178 2179 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2180 result = crypto_encrypt_update(tmi->enc_data.ctx, 2181 &indata, NULL, NULL); 2182 else 2183 result = crypto_encrypt(&mech, &indata, 2184 &tmi->enc_data.d_encr_key, NULL, 2185 NULL, NULL); 2186 2187 if (result != CRYPTO_SUCCESS) { 2188 cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x", 2189 result); 2190 } 2191 2192 cleanup: 2193 bzero(k1data, sizeof (k1data)); 2194 bzero(k2data, sizeof (k2data)); 2195 bzero(saltdata, sizeof (saltdata)); 2196 if (result != CRYPTO_SUCCESS) { 2197 mp->b_datap->db_type = M_ERROR; 2198 mp->b_rptr = mp->b_datap->db_base; 2199 *mp->b_rptr = EIO; 2200 mp->b_wptr = mp->b_rptr + sizeof (char); 2201 freemsg(mp->b_cont); 2202 mp->b_cont = NULL; 2203 qreply(WR(q), mp); 2204 return (NULL); 2205 } 2206 return (mp); 2207 } 2208 2209 /* 2210 * DES-CBC-[HASH] encrypt 2211 * 2212 * Needed to support userland apps that must support Kerberos V5 2213 * encryption DES-CBC encryption modes. 2214 * 2215 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2216 * 2217 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2218 * +-----------+----------+-------------+-----+ 2219 * |confounder | cksum | msg-data | pad | 2220 * +-----------+----------+-------------+-----+ 2221 * 2222 * format of ciphertext when using DES3-SHA1-HMAC 2223 * +-----------+----------+-------------+-----+ 2224 * |confounder | msg-data | hmac | pad | 2225 * +-----------+----------+-------------+-----+ 2226 * 2227 * The confounder is 8 bytes of random data. 2228 * The cksum depends on the hash being used. 2229 * 4 bytes for CRC32 2230 * 16 bytes for MD5 2231 * 20 bytes for SHA1 2232 * 0 bytes for RAW 2233 * 2234 */ 2235 static mblk_t * 2236 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2237 { 2238 int result; 2239 size_t cipherlen; 2240 size_t inlen; 2241 size_t plainlen; 2242 2243 /* 2244 * The size at this point should be the size of 2245 * all the plaintext plus the optional plaintext length 2246 * needed for RCMD V2 mode. There should also be room 2247 * at the head of the mblk for the confounder and hash info. 2248 */ 2249 inlen = (size_t)MBLKL(mp); 2250 2251 /* 2252 * The output size will be a multiple of 8 because this algorithm 2253 * only works on 8 byte chunks. 2254 */ 2255 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2256 2257 ASSERT(MBLKSIZE(mp) >= cipherlen); 2258 2259 if (cipherlen > inlen) { 2260 bzero(mp->b_wptr, MBLKTAIL(mp)); 2261 } 2262 2263 /* 2264 * Shift the rptr back enough to insert 2265 * the confounder and hash. 2266 */ 2267 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2268 mp->b_rptr -= hash->confound_len; 2269 } else { 2270 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2271 2272 /* zero out the hash area */ 2273 bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len); 2274 } 2275 2276 /* get random confounder from our friend, the 'random' module */ 2277 if (hash->confound_len > 0) { 2278 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 2279 (size_t)hash->confound_len); 2280 } 2281 2282 /* 2283 * For 3DES we calculate an HMAC later. 2284 */ 2285 if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) { 2286 /* calculate chksum of confounder + input */ 2287 if (hash->hash_len > 0 && hash->hashfunc != NULL) { 2288 uchar_t cksum[MAX_CKSUM_LEN]; 2289 2290 result = hash->hashfunc(cksum, mp->b_rptr, 2291 cipherlen); 2292 if (result != CRYPTO_SUCCESS) { 2293 goto failure; 2294 } 2295 2296 /* put hash in place right after the confounder */ 2297 bcopy(cksum, (mp->b_rptr + hash->confound_len), 2298 (size_t)hash->hash_len); 2299 } 2300 } 2301 /* 2302 * In order to support the "old" Kerberos RCMD protocol, 2303 * we must use the IVEC 3 different ways: 2304 * IVEC_REUSE = keep using the same IV each time, this is 2305 * ugly and insecure, but necessary for 2306 * backwards compatibility with existing MIT code. 2307 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2308 * was setup (see setup_crypto routine). 2309 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2310 */ 2311 if (tmi->enc_data.ivec_usage == IVEC_NEVER) { 2312 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 2313 } else if (tmi->enc_data.ivec_usage == IVEC_REUSE) { 2314 bcopy(tmi->enc_data.ivec, tmi->enc_data.block, 2315 tmi->enc_data.blocklen); 2316 } 2317 2318 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2319 /* 2320 * The input length already included the hash size, 2321 * don't include this in the plaintext length 2322 * calculations. 2323 */ 2324 plainlen = cipherlen - hash->hash_len; 2325 2326 mp->b_wptr = mp->b_rptr + plainlen; 2327 2328 result = kef_encr_hmac(&tmi->enc_data, 2329 (void *)mp, (size_t)plainlen, 2330 (char *)(mp->b_rptr + plainlen), 2331 hash->hash_len); 2332 } else { 2333 ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp)); 2334 mp->b_wptr = mp->b_rptr + cipherlen; 2335 result = kef_crypt(&tmi->enc_data, (void *)mp, 2336 CRYPTO_DATA_MBLK, (size_t)cipherlen, 2337 CRYPT_ENCRYPT); 2338 } 2339 failure: 2340 if (result != CRYPTO_SUCCESS) { 2341 #ifdef DEBUG 2342 cmn_err(CE_WARN, 2343 "des_cbc_encrypt: kef_crypt encrypt " 2344 "failed (len: %ld) - error %0x", 2345 cipherlen, result); 2346 #endif 2347 mp->b_datap->db_type = M_ERROR; 2348 mp->b_rptr = mp->b_datap->db_base; 2349 *mp->b_rptr = EIO; 2350 mp->b_wptr = mp->b_rptr + sizeof (char); 2351 freemsg(mp->b_cont); 2352 mp->b_cont = NULL; 2353 qreply(WR(q), mp); 2354 return (NULL); 2355 } else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) { 2356 /* 2357 * Because we are using KEF, we must manually 2358 * update our IV. 2359 */ 2360 bcopy(mp->b_wptr - tmi->enc_data.ivlen, 2361 tmi->enc_data.block, tmi->enc_data.ivlen); 2362 } 2363 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2364 mp->b_wptr = mp->b_rptr + cipherlen; 2365 } 2366 2367 return (mp); 2368 } 2369 2370 /* 2371 * des_cbc_decrypt 2372 * 2373 * 2374 * Needed to support userland apps that must support Kerberos V5 2375 * encryption DES-CBC decryption modes. 2376 * 2377 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2378 * 2379 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2380 * +-----------+----------+-------------+-----+ 2381 * |confounder | cksum | msg-data | pad | 2382 * +-----------+----------+-------------+-----+ 2383 * 2384 * format of ciphertext when using DES3-SHA1-HMAC 2385 * +-----------+----------+-------------+-----+ 2386 * |confounder | msg-data | hmac | pad | 2387 * +-----------+----------+-------------+-----+ 2388 * 2389 * The confounder is 8 bytes of random data. 2390 * The cksum depends on the hash being used. 2391 * 4 bytes for CRC32 2392 * 16 bytes for MD5 2393 * 20 bytes for SHA1 2394 * 0 bytes for RAW 2395 * 2396 */ 2397 static mblk_t * 2398 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2399 { 2400 uint_t inlen, datalen; 2401 int result = 0; 2402 uchar_t *optr = NULL; 2403 uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN]; 2404 uchar_t nextiv[DEFAULT_DES_BLOCKLEN]; 2405 2406 /* Compute adjusted size */ 2407 inlen = MBLKL(mp); 2408 2409 optr = mp->b_rptr; 2410 2411 /* 2412 * In order to support the "old" Kerberos RCMD protocol, 2413 * we must use the IVEC 3 different ways: 2414 * IVEC_REUSE = keep using the same IV each time, this is 2415 * ugly and insecure, but necessary for 2416 * backwards compatibility with existing MIT code. 2417 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2418 * was setup (see setup_crypto routine). 2419 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2420 */ 2421 if (tmi->dec_data.ivec_usage == IVEC_NEVER) 2422 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 2423 else if (tmi->dec_data.ivec_usage == IVEC_REUSE) 2424 bcopy(tmi->dec_data.ivec, tmi->dec_data.block, 2425 tmi->dec_data.blocklen); 2426 2427 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2428 /* 2429 * Do not decrypt the HMAC at the end 2430 */ 2431 int decrypt_len = inlen - hash->hash_len; 2432 2433 /* 2434 * Move the wptr so the mblk appears to end 2435 * BEFORE the HMAC section. 2436 */ 2437 mp->b_wptr = mp->b_rptr + decrypt_len; 2438 2439 /* 2440 * Because we are using KEF, we must manually update our 2441 * IV. 2442 */ 2443 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2444 bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen, 2445 nextiv, tmi->dec_data.ivlen); 2446 } 2447 2448 result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len, 2449 (char *)newcksum, hash->hash_len); 2450 } else { 2451 /* 2452 * Because we are using KEF, we must manually update our 2453 * IV. 2454 */ 2455 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2456 bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv, 2457 tmi->dec_data.ivlen); 2458 } 2459 result = kef_crypt(&tmi->dec_data, (void *)mp, 2460 CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT); 2461 } 2462 if (result != CRYPTO_SUCCESS) { 2463 #ifdef DEBUG 2464 cmn_err(CE_WARN, 2465 "des_cbc_decrypt: kef_crypt decrypt " 2466 "failed - error %0x", result); 2467 #endif 2468 mp->b_datap->db_type = M_ERROR; 2469 mp->b_rptr = mp->b_datap->db_base; 2470 *mp->b_rptr = EIO; 2471 mp->b_wptr = mp->b_rptr + sizeof (char); 2472 freemsg(mp->b_cont); 2473 mp->b_cont = NULL; 2474 qreply(WR(q), mp); 2475 return (NULL); 2476 } 2477 2478 /* 2479 * Manually update the IV, KEF does not track this for us. 2480 */ 2481 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2482 bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen); 2483 } 2484 2485 /* Verify the checksum(if necessary) */ 2486 if (hash->hash_len > 0) { 2487 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2488 bcopy(mp->b_rptr + inlen - hash->hash_len, cksum, 2489 hash->hash_len); 2490 } else { 2491 bcopy(optr + hash->confound_len, cksum, hash->hash_len); 2492 2493 /* zero the cksum in the buffer */ 2494 ASSERT(optr + hash->confound_len + hash->hash_len <= 2495 DB_LIM(mp)); 2496 bzero(optr + hash->confound_len, hash->hash_len); 2497 2498 /* calculate MD5 chksum of confounder + input */ 2499 if (hash->hashfunc) { 2500 (void) hash->hashfunc(newcksum, optr, inlen); 2501 } 2502 } 2503 2504 if (bcmp(cksum, newcksum, hash->hash_len)) { 2505 #ifdef DEBUG 2506 cmn_err(CE_WARN, "des_cbc_decrypt: checksum " 2507 "verification failed"); 2508 #endif 2509 mp->b_datap->db_type = M_ERROR; 2510 mp->b_rptr = mp->b_datap->db_base; 2511 *mp->b_rptr = EIO; 2512 mp->b_wptr = mp->b_rptr + sizeof (char); 2513 freemsg(mp->b_cont); 2514 mp->b_cont = NULL; 2515 qreply(WR(q), mp); 2516 return (NULL); 2517 } 2518 } 2519 2520 datalen = inlen - hash->confound_len - hash->hash_len; 2521 2522 /* Move just the decrypted input into place if necessary */ 2523 if (hash->confound_len > 0 || hash->hash_len > 0) { 2524 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) 2525 mp->b_rptr += hash->confound_len; 2526 else 2527 mp->b_rptr += hash->confound_len + hash->hash_len; 2528 } 2529 2530 ASSERT(mp->b_rptr + datalen <= DB_LIM(mp)); 2531 mp->b_wptr = mp->b_rptr + datalen; 2532 2533 return (mp); 2534 } 2535 2536 static mblk_t * 2537 do_decrypt(queue_t *q, mblk_t *mp) 2538 { 2539 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2540 mblk_t *outmp; 2541 2542 switch (tmi->dec_data.method) { 2543 case CRYPT_METHOD_DES_CFB: 2544 outmp = des_cfb_decrypt(q, tmi, mp); 2545 break; 2546 case CRYPT_METHOD_NONE: 2547 outmp = mp; 2548 break; 2549 case CRYPT_METHOD_DES_CBC_NULL: 2550 outmp = des_cbc_decrypt(q, tmi, mp, &null_hash); 2551 break; 2552 case CRYPT_METHOD_DES_CBC_MD5: 2553 outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash); 2554 break; 2555 case CRYPT_METHOD_DES_CBC_CRC: 2556 outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash); 2557 break; 2558 case CRYPT_METHOD_DES3_CBC_SHA1: 2559 outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash); 2560 break; 2561 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2562 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2563 outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash); 2564 break; 2565 case CRYPT_METHOD_AES128: 2566 case CRYPT_METHOD_AES256: 2567 outmp = aes_decrypt(q, tmi, mp, &sha1_hash); 2568 break; 2569 } 2570 return (outmp); 2571 } 2572 2573 /* 2574 * do_encrypt 2575 * 2576 * Generic encryption routine for a single message block. 2577 * The input mblk may be replaced by some encrypt routines 2578 * because they add extra data in some cases that may exceed 2579 * the input mblk_t size limit. 2580 */ 2581 static mblk_t * 2582 do_encrypt(queue_t *q, mblk_t *mp) 2583 { 2584 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2585 mblk_t *outmp; 2586 2587 switch (tmi->enc_data.method) { 2588 case CRYPT_METHOD_DES_CFB: 2589 outmp = des_cfb_encrypt(q, tmi, mp); 2590 break; 2591 case CRYPT_METHOD_DES_CBC_NULL: 2592 outmp = des_cbc_encrypt(q, tmi, mp, &null_hash); 2593 break; 2594 case CRYPT_METHOD_DES_CBC_MD5: 2595 outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash); 2596 break; 2597 case CRYPT_METHOD_DES_CBC_CRC: 2598 outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash); 2599 break; 2600 case CRYPT_METHOD_DES3_CBC_SHA1: 2601 outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash); 2602 break; 2603 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2604 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2605 outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash); 2606 break; 2607 case CRYPT_METHOD_AES128: 2608 case CRYPT_METHOD_AES256: 2609 outmp = aes_encrypt(q, tmi, mp, &sha1_hash); 2610 break; 2611 case CRYPT_METHOD_NONE: 2612 outmp = mp; 2613 break; 2614 } 2615 return (outmp); 2616 } 2617 2618 /* 2619 * setup_crypto 2620 * 2621 * This takes the data from the CRYPTIOCSETUP ioctl 2622 * and sets up a cipher_data_t structure for either 2623 * encryption or decryption. This is where the 2624 * key and initialization vector data get stored 2625 * prior to beginning any crypto functions. 2626 * 2627 * Special note: 2628 * Some applications(e.g. telnetd) have ability to switch 2629 * crypto on/off periodically. Thus, the application may call 2630 * the CRYPTIOCSETUP ioctl many times for the same stream. 2631 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields 2632 * assume that the key, block, and saveblock fields that are already 2633 * set from a previous CRIOCSETUP call are still valid. This helps avoid 2634 * a rekeying error that could occur if we overwrite these fields 2635 * with each CRYPTIOCSETUP call. 2636 * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off 2637 * without resetting the original crypto parameters. 2638 * 2639 */ 2640 static int 2641 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt) 2642 { 2643 uint_t newblocklen; 2644 uint32_t enc_usage = 0, dec_usage = 0; 2645 int rv; 2646 2647 /* 2648 * Initial sanity checks 2649 */ 2650 if (!CR_METHOD_OK(ci->crypto_method)) { 2651 cmn_err(CE_WARN, "Illegal crypto method (%d)", 2652 ci->crypto_method); 2653 return (EINVAL); 2654 } 2655 if (!CR_OPTIONS_OK(ci->option_mask)) { 2656 cmn_err(CE_WARN, "Illegal crypto options (%d)", 2657 ci->option_mask); 2658 return (EINVAL); 2659 } 2660 if (!CR_IVUSAGE_OK(ci->ivec_usage)) { 2661 cmn_err(CE_WARN, "Illegal ivec usage value (%d)", 2662 ci->ivec_usage); 2663 return (EINVAL); 2664 } 2665 2666 cd->method = ci->crypto_method; 2667 cd->bytes = 0; 2668 2669 if (ci->keylen > 0) { 2670 if (cd->key != NULL) { 2671 kmem_free(cd->key, cd->keylen); 2672 cd->key = NULL; 2673 cd->keylen = 0; 2674 } 2675 /* 2676 * cd->key holds the copy of the raw key bytes passed in 2677 * from the userland app. 2678 */ 2679 cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP); 2680 2681 cd->keylen = ci->keylen; 2682 bcopy(ci->key, cd->key, (size_t)ci->keylen); 2683 } 2684 2685 /* 2686 * Configure the block size based on the type of cipher. 2687 */ 2688 switch (cd->method) { 2689 case CRYPT_METHOD_NONE: 2690 newblocklen = 0; 2691 break; 2692 case CRYPT_METHOD_DES_CFB: 2693 newblocklen = DEFAULT_DES_BLOCKLEN; 2694 cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB); 2695 break; 2696 case CRYPT_METHOD_DES_CBC_NULL: 2697 case CRYPT_METHOD_DES_CBC_MD5: 2698 case CRYPT_METHOD_DES_CBC_CRC: 2699 newblocklen = DEFAULT_DES_BLOCKLEN; 2700 cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC); 2701 break; 2702 case CRYPT_METHOD_DES3_CBC_SHA1: 2703 newblocklen = DEFAULT_DES_BLOCKLEN; 2704 cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC); 2705 /* 3DES always uses the old usage constant */ 2706 enc_usage = RCMDV1_USAGE; 2707 dec_usage = RCMDV1_USAGE; 2708 break; 2709 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2710 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2711 newblocklen = 0; 2712 cd->mech_type = crypto_mech2id(SUN_CKM_RC4); 2713 break; 2714 case CRYPT_METHOD_AES128: 2715 case CRYPT_METHOD_AES256: 2716 newblocklen = DEFAULT_AES_BLOCKLEN; 2717 cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB); 2718 enc_usage = AES_ENCRYPT_USAGE; 2719 dec_usage = AES_DECRYPT_USAGE; 2720 break; 2721 } 2722 if (cd->mech_type == CRYPTO_MECH_INVALID) { 2723 return (CRYPTO_FAILED); 2724 } 2725 2726 /* 2727 * If RC4, initialize the master crypto key used by 2728 * the RC4 algorithm to derive the final encrypt and decrypt keys. 2729 */ 2730 if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) { 2731 /* 2732 * cd->ckey is a kernel crypto key structure used as the 2733 * master key in the RC4-HMAC crypto operations. 2734 */ 2735 if (cd->ckey == NULL) { 2736 cd->ckey = (crypto_key_t *)kmem_zalloc( 2737 sizeof (crypto_key_t), KM_SLEEP); 2738 } 2739 2740 cd->ckey->ck_format = CRYPTO_KEY_RAW; 2741 cd->ckey->ck_data = cd->key; 2742 2743 /* key length for EF is measured in bits */ 2744 cd->ckey->ck_length = cd->keylen * 8; 2745 } 2746 2747 /* 2748 * cd->block and cd->saveblock are used as temporary storage for 2749 * data that must be carried over between encrypt/decrypt operations 2750 * in some of the "feedback" modes. 2751 */ 2752 if (newblocklen != cd->blocklen) { 2753 if (cd->block != NULL) { 2754 kmem_free(cd->block, cd->blocklen); 2755 cd->block = NULL; 2756 } 2757 2758 if (cd->saveblock != NULL) { 2759 kmem_free(cd->saveblock, cd->blocklen); 2760 cd->saveblock = NULL; 2761 } 2762 2763 cd->blocklen = newblocklen; 2764 if (cd->blocklen) { 2765 cd->block = (char *)kmem_zalloc((size_t)cd->blocklen, 2766 KM_SLEEP); 2767 } 2768 2769 if (cd->method == CRYPT_METHOD_DES_CFB) 2770 cd->saveblock = (char *)kmem_zalloc(cd->blocklen, 2771 KM_SLEEP); 2772 else 2773 cd->saveblock = NULL; 2774 } 2775 2776 if (ci->iveclen != cd->ivlen) { 2777 if (cd->ivec != NULL) { 2778 kmem_free(cd->ivec, cd->ivlen); 2779 cd->ivec = NULL; 2780 } 2781 if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) { 2782 cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen, 2783 KM_SLEEP); 2784 cd->ivlen = ci->iveclen; 2785 } else { 2786 cd->ivlen = 0; 2787 cd->ivec = NULL; 2788 } 2789 } 2790 cd->option_mask = ci->option_mask; 2791 2792 /* 2793 * Old protocol requires a static 'usage' value for 2794 * deriving keys. Yuk. 2795 */ 2796 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) { 2797 enc_usage = dec_usage = RCMDV1_USAGE; 2798 } 2799 2800 if (cd->ivlen > cd->blocklen) { 2801 cmn_err(CE_WARN, "setup_crypto: IV longer than block size"); 2802 return (EINVAL); 2803 } 2804 2805 /* 2806 * If we are using an IVEC "correctly" (i.e. set it once) 2807 * copy it here. 2808 */ 2809 if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL) 2810 bcopy(ci->ivec, cd->block, (size_t)cd->ivlen); 2811 2812 cd->ivec_usage = ci->ivec_usage; 2813 if (cd->ivec != NULL) { 2814 /* Save the original IVEC in case we need it later */ 2815 bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen); 2816 } 2817 /* 2818 * Special handling for 3DES-SHA1-HMAC and AES crypto: 2819 * generate derived keys and context templates 2820 * for better performance. 2821 */ 2822 if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 || 2823 IS_AES_METHOD(cd->method)) { 2824 crypto_mechanism_t enc_mech; 2825 crypto_mechanism_t hmac_mech; 2826 2827 if (cd->d_encr_key.ck_data != NULL) { 2828 bzero(cd->d_encr_key.ck_data, cd->keylen); 2829 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 2830 } 2831 2832 if (cd->d_hmac_key.ck_data != NULL) { 2833 bzero(cd->d_hmac_key.ck_data, cd->keylen); 2834 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 2835 } 2836 2837 if (cd->enc_tmpl != NULL) 2838 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 2839 2840 if (cd->hmac_tmpl != NULL) 2841 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 2842 2843 enc_mech.cm_type = cd->mech_type; 2844 enc_mech.cm_param = cd->ivec; 2845 enc_mech.cm_param_len = cd->ivlen; 2846 2847 hmac_mech.cm_type = sha1_hmac_mech; 2848 hmac_mech.cm_param = NULL; 2849 hmac_mech.cm_param_len = 0; 2850 2851 /* 2852 * Create the derived keys. 2853 */ 2854 rv = create_derived_keys(cd, 2855 (encrypt ? enc_usage : dec_usage), 2856 &cd->d_encr_key, &cd->d_hmac_key); 2857 2858 if (rv != CRYPTO_SUCCESS) { 2859 cmn_err(CE_WARN, "failed to create derived " 2860 "keys: %0x", rv); 2861 return (CRYPTO_FAILED); 2862 } 2863 2864 rv = crypto_create_ctx_template(&enc_mech, 2865 &cd->d_encr_key, 2866 &cd->enc_tmpl, KM_SLEEP); 2867 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2868 cd->enc_tmpl = NULL; 2869 } else if (rv != CRYPTO_SUCCESS) { 2870 cmn_err(CE_WARN, "failed to create enc template " 2871 "for d_encr_key: %0x", rv); 2872 return (CRYPTO_FAILED); 2873 } 2874 2875 rv = crypto_create_ctx_template(&hmac_mech, 2876 &cd->d_hmac_key, 2877 &cd->hmac_tmpl, KM_SLEEP); 2878 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2879 cd->hmac_tmpl = NULL; 2880 } else if (rv != CRYPTO_SUCCESS) { 2881 cmn_err(CE_WARN, "failed to create hmac template:" 2882 " %0x", rv); 2883 return (CRYPTO_FAILED); 2884 } 2885 } else if (IS_RC4_METHOD(cd->method)) { 2886 bzero(&cd->d_encr_key, sizeof (crypto_key_t)); 2887 bzero(&cd->d_hmac_key, sizeof (crypto_key_t)); 2888 cd->ctx = NULL; 2889 cd->enc_tmpl = NULL; 2890 cd->hmac_tmpl = NULL; 2891 } 2892 2893 /* Final sanity checks, make sure no fields are NULL */ 2894 if (cd->method != CRYPT_METHOD_NONE) { 2895 if (cd->block == NULL && cd->blocklen > 0) { 2896 #ifdef DEBUG 2897 cmn_err(CE_WARN, 2898 "setup_crypto: IV block not allocated"); 2899 #endif 2900 return (ENOMEM); 2901 } 2902 if (cd->key == NULL && cd->keylen > 0) { 2903 #ifdef DEBUG 2904 cmn_err(CE_WARN, 2905 "setup_crypto: key block not allocated"); 2906 #endif 2907 return (ENOMEM); 2908 } 2909 if (cd->method == CRYPT_METHOD_DES_CFB && 2910 cd->saveblock == NULL && cd->blocklen > 0) { 2911 #ifdef DEBUG 2912 cmn_err(CE_WARN, 2913 "setup_crypto: save block not allocated"); 2914 #endif 2915 return (ENOMEM); 2916 } 2917 if (cd->ivec == NULL && cd->ivlen > 0) { 2918 #ifdef DEBUG 2919 cmn_err(CE_WARN, 2920 "setup_crypto: IV not allocated"); 2921 #endif 2922 return (ENOMEM); 2923 } 2924 } 2925 return (0); 2926 } 2927 2928 /* 2929 * RCMDS require a 4 byte, clear text 2930 * length field before each message. 2931 * Add it now. 2932 */ 2933 static mblk_t * 2934 mklenmp(mblk_t *bp, uint32_t len) 2935 { 2936 mblk_t *lenmp; 2937 uchar_t *ucp; 2938 2939 if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) { 2940 lenmp = allocb(4, BPRI_MED); 2941 if (lenmp != NULL) { 2942 lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp); 2943 linkb(lenmp, bp); 2944 bp = lenmp; 2945 } 2946 } 2947 ucp = bp->b_rptr; 2948 *--ucp = len; 2949 *--ucp = len >> 8; 2950 *--ucp = len >> 16; 2951 *--ucp = len >> 24; 2952 2953 bp->b_rptr = ucp; 2954 2955 return (bp); 2956 } 2957 2958 static mblk_t * 2959 encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen) 2960 { 2961 mblk_t *newmp; 2962 size_t headspace; 2963 2964 mblk_t *cbp; 2965 size_t cipherlen; 2966 size_t extra = 0; 2967 uint32_t ptlen = (uint32_t)plainlen; 2968 /* 2969 * If we are using the "NEW" RCMD mode, 2970 * add 4 bytes to the plaintext for the 2971 * plaintext length that gets prepended 2972 * before encrypting. 2973 */ 2974 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2975 ptlen += 4; 2976 2977 cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen); 2978 2979 /* 2980 * if we must allocb, then make sure its enough 2981 * to hold the length field so we dont have to allocb 2982 * again down below in 'mklenmp' 2983 */ 2984 if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) { 2985 extra = sizeof (uint32_t); 2986 } 2987 2988 /* 2989 * Calculate how much space is needed in front of 2990 * the data. 2991 */ 2992 headspace = plaintext_offset(&tmi->enc_data); 2993 2994 /* 2995 * If the current block is too small, reallocate 2996 * one large enough to hold the hdr, tail, and 2997 * ciphertext. 2998 */ 2999 if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) { 3000 int sz = P2ROUNDUP(cipherlen+extra, 8); 3001 3002 cbp = allocb_tmpl(sz, mp); 3003 if (cbp == NULL) { 3004 cmn_err(CE_WARN, 3005 "allocb (%d bytes) failed", sz); 3006 return (NULL); 3007 } 3008 3009 cbp->b_cont = mp->b_cont; 3010 3011 /* 3012 * headspace includes the length fields needed 3013 * for the RCMD modes (v1 == 4 bytes, V2 = 8) 3014 */ 3015 cbp->b_rptr = DB_BASE(cbp) + headspace; 3016 3017 ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen, 8) 3018 <= DB_LIM(cbp)); 3019 3020 bcopy(mp->b_rptr, cbp->b_rptr, plainlen); 3021 cbp->b_wptr = cbp->b_rptr + plainlen; 3022 3023 freeb(mp); 3024 } else { 3025 size_t extra = 0; 3026 cbp = mp; 3027 3028 /* 3029 * Some ciphers add HMAC after the final block 3030 * of the ciphertext, not at the beginning like the 3031 * 1-DES ciphers. 3032 */ 3033 if (tmi->enc_data.method == 3034 CRYPT_METHOD_DES3_CBC_SHA1 || 3035 IS_AES_METHOD(tmi->enc_data.method)) { 3036 extra = sha1_hash.hash_len; 3037 } 3038 3039 /* 3040 * Make sure the rptr is positioned correctly so that 3041 * routines later do not have to shift this data around 3042 */ 3043 if ((cbp->b_rptr + P2ROUNDUP(plainlen + extra, 8) > 3044 DB_LIM(cbp)) || 3045 (cbp->b_rptr - headspace < DB_BASE(cbp))) { 3046 ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace, 3047 plainlen); 3048 cbp->b_rptr = DB_BASE(cbp) + headspace; 3049 cbp->b_wptr = cbp->b_rptr + plainlen; 3050 } 3051 } 3052 3053 ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp)); 3054 ASSERT(cbp->b_wptr <= DB_LIM(cbp)); 3055 3056 /* 3057 * If using RCMD_MODE_V2 (new rcmd mode), prepend 3058 * the plaintext length before the actual plaintext. 3059 */ 3060 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) { 3061 cbp->b_rptr -= RCMD_LEN_SZ; 3062 3063 /* put plaintext length at head of buffer */ 3064 *(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff); 3065 *(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff); 3066 *(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff); 3067 *(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff); 3068 } 3069 3070 newmp = do_encrypt(q, cbp); 3071 3072 if (newmp != NULL && 3073 (tmi->enc_data.option_mask & 3074 (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) { 3075 mblk_t *lp; 3076 /* 3077 * Add length field, required when this is 3078 * used to encrypt "r*" commands(rlogin, rsh) 3079 * with Kerberos. 3080 */ 3081 lp = mklenmp(newmp, plainlen); 3082 3083 if (lp == NULL) { 3084 freeb(newmp); 3085 return (NULL); 3086 } else { 3087 newmp = lp; 3088 } 3089 } 3090 return (newmp); 3091 } 3092 3093 /* 3094 * encrypt_msgb 3095 * 3096 * encrypt a single message. This routine adds the 3097 * RCMD overhead bytes when necessary. 3098 */ 3099 static mblk_t * 3100 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 3101 { 3102 size_t plainlen, outlen; 3103 mblk_t *newmp = NULL; 3104 3105 /* If not encrypting, do nothing */ 3106 if (tmi->enc_data.method == CRYPT_METHOD_NONE) { 3107 return (mp); 3108 } 3109 3110 plainlen = MBLKL(mp); 3111 if (plainlen == 0) 3112 return (NULL); 3113 3114 /* 3115 * If the block is too big, we encrypt in 4K chunks so that 3116 * older rlogin clients do not choke on the larger buffers. 3117 */ 3118 while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) { 3119 mblk_t *mp1 = NULL; 3120 outlen = MSGBUF_SIZE; 3121 /* 3122 * Allocate a new buffer that is only 4K bytes, the 3123 * extra bytes are for crypto overhead. 3124 */ 3125 mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED); 3126 if (mp1 == NULL) { 3127 cmn_err(CE_WARN, 3128 "allocb (%d bytes) failed", 3129 (int)(outlen + CONFOUNDER_BYTES)); 3130 return (NULL); 3131 } 3132 /* Copy the next 4K bytes from the old block. */ 3133 bcopy(mp->b_rptr, mp1->b_rptr, outlen); 3134 mp1->b_wptr = mp1->b_rptr + outlen; 3135 /* Advance the old block. */ 3136 mp->b_rptr += outlen; 3137 3138 /* encrypt the new block */ 3139 newmp = encrypt_block(q, tmi, mp1, outlen); 3140 if (newmp == NULL) 3141 return (NULL); 3142 3143 putnext(q, newmp); 3144 } 3145 newmp = NULL; 3146 /* If there is data left (< MSGBUF_SIZE), encrypt it. */ 3147 if ((plainlen = MBLKL(mp)) > 0) 3148 newmp = encrypt_block(q, tmi, mp, plainlen); 3149 3150 return (newmp); 3151 } 3152 3153 /* 3154 * cryptmodwsrv 3155 * 3156 * Service routine for the write queue. 3157 * 3158 * Because data may be placed in the queue to hold between 3159 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed. 3160 */ 3161 static int 3162 cryptmodwsrv(queue_t *q) 3163 { 3164 mblk_t *mp; 3165 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3166 3167 while ((mp = getq(q)) != NULL) { 3168 switch (mp->b_datap->db_type) { 3169 default: 3170 /* 3171 * wput does not queue anything > QPCTL 3172 */ 3173 if (!canputnext(q) || 3174 !(tmi->ready & CRYPT_WRITE_READY)) { 3175 if (!putbq(q, mp)) { 3176 freemsg(mp); 3177 } 3178 return (0); 3179 } 3180 putnext(q, mp); 3181 break; 3182 case M_DATA: 3183 if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) { 3184 mblk_t *bp; 3185 mblk_t *newmsg = NULL; 3186 3187 /* 3188 * If multiple msgs, concat into 1 3189 * to minimize crypto operations later. 3190 */ 3191 if (mp->b_cont != NULL) { 3192 bp = msgpullup(mp, -1); 3193 if (bp != NULL) { 3194 freemsg(mp); 3195 mp = bp; 3196 } 3197 } 3198 newmsg = encrypt_msgb(q, tmi, mp); 3199 if (newmsg != NULL) 3200 putnext(q, newmsg); 3201 } else { 3202 if (!putbq(q, mp)) { 3203 freemsg(mp); 3204 } 3205 return (0); 3206 } 3207 break; 3208 } 3209 } 3210 return (0); 3211 } 3212 3213 static void 3214 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir) 3215 { 3216 mblk_t *newmp = NULL; 3217 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3218 3219 if (dir == CRYPT_ENCRYPT) { 3220 tmi->ready |= CRYPT_WRITE_READY; 3221 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 3222 "start_stream: restart ENCRYPT/WRITE q")); 3223 3224 enableok(wq); 3225 qenable(wq); 3226 } else if (dir == CRYPT_DECRYPT) { 3227 /* 3228 * put any extra data in the RD 3229 * queue to be processed and 3230 * sent back up. 3231 */ 3232 newmp = mp->b_cont; 3233 mp->b_cont = NULL; 3234 3235 tmi->ready |= CRYPT_READ_READY; 3236 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3237 SL_TRACE|SL_NOTE, 3238 "start_stream: restart " 3239 "DECRYPT/READ q")); 3240 3241 if (newmp != NULL) 3242 if (!putbq(RD(wq), newmp)) 3243 freemsg(newmp); 3244 3245 enableok(RD(wq)); 3246 qenable(RD(wq)); 3247 } 3248 3249 miocack(wq, mp, 0, 0); 3250 } 3251 3252 /* 3253 * Write-side put procedure. Its main task is to detect ioctls and 3254 * FLUSH operations. Other message types are passed on through. 3255 */ 3256 static void 3257 cryptmodwput(queue_t *wq, mblk_t *mp) 3258 { 3259 struct iocblk *iocp; 3260 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3261 int ret, err; 3262 3263 switch (mp->b_datap->db_type) { 3264 case M_DATA: 3265 if (wq->q_first == NULL && canputnext(wq) && 3266 (tmi->ready & CRYPT_WRITE_READY) && 3267 tmi->enc_data.method == CRYPT_METHOD_NONE) { 3268 putnext(wq, mp); 3269 return; 3270 } 3271 /* else, put it in the service queue */ 3272 if (!putq(wq, mp)) { 3273 freemsg(mp); 3274 } 3275 break; 3276 case M_FLUSH: 3277 if (*mp->b_rptr & FLUSHW) { 3278 flushq(wq, FLUSHDATA); 3279 } 3280 putnext(wq, mp); 3281 break; 3282 case M_IOCTL: 3283 iocp = (struct iocblk *)mp->b_rptr; 3284 switch (iocp->ioc_cmd) { 3285 case CRYPTIOCSETUP: 3286 ret = 0; 3287 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3288 SL_TRACE | SL_NOTE, 3289 "wput: got CRYPTIOCSETUP " 3290 "ioctl(%d)", iocp->ioc_cmd)); 3291 3292 if ((err = miocpullup(mp, 3293 sizeof (struct cr_info_t))) != 0) { 3294 cmn_err(CE_WARN, 3295 "wput: miocpullup failed for cr_info_t"); 3296 miocnak(wq, mp, 0, err); 3297 } else { 3298 struct cr_info_t *ci; 3299 ci = (struct cr_info_t *)mp->b_cont->b_rptr; 3300 3301 if (ci->direction_mask & CRYPT_ENCRYPT) { 3302 ret = setup_crypto(ci, &tmi->enc_data, 1); 3303 } 3304 3305 if (ret == 0 && 3306 (ci->direction_mask & CRYPT_DECRYPT)) { 3307 ret = setup_crypto(ci, &tmi->dec_data, 0); 3308 } 3309 if (ret == 0 && 3310 (ci->direction_mask & CRYPT_DECRYPT) && 3311 ANY_RCMD_MODE(tmi->dec_data.option_mask)) { 3312 bzero(&tmi->rcmd_state, 3313 sizeof (tmi->rcmd_state)); 3314 } 3315 if (ret == 0) { 3316 miocack(wq, mp, 0, 0); 3317 } else { 3318 cmn_err(CE_WARN, 3319 "wput: setup_crypto failed"); 3320 miocnak(wq, mp, 0, ret); 3321 } 3322 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3323 SL_TRACE|SL_NOTE, 3324 "wput: done with SETUP " 3325 "ioctl")); 3326 } 3327 break; 3328 case CRYPTIOCSTOP: 3329 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3330 SL_TRACE|SL_NOTE, 3331 "wput: got CRYPTIOCSTOP " 3332 "ioctl(%d)", iocp->ioc_cmd)); 3333 3334 if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) { 3335 cmn_err(CE_WARN, 3336 "wput: CRYPTIOCSTOP ioctl wrong " 3337 "size (%d should be %d)", 3338 (int)iocp->ioc_count, 3339 (int)sizeof (uint32_t)); 3340 miocnak(wq, mp, 0, err); 3341 } else { 3342 uint32_t *stopdir; 3343 3344 stopdir = (uint32_t *)mp->b_cont->b_rptr; 3345 if (!CR_DIRECTION_OK(*stopdir)) { 3346 miocnak(wq, mp, 0, EINVAL); 3347 return; 3348 } 3349 3350 /* disable the queues until further notice */ 3351 if (*stopdir & CRYPT_ENCRYPT) { 3352 noenable(wq); 3353 tmi->ready &= ~CRYPT_WRITE_READY; 3354 } 3355 if (*stopdir & CRYPT_DECRYPT) { 3356 noenable(RD(wq)); 3357 tmi->ready &= ~CRYPT_READ_READY; 3358 } 3359 3360 miocack(wq, mp, 0, 0); 3361 } 3362 break; 3363 case CRYPTIOCSTARTDEC: 3364 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3365 SL_TRACE|SL_NOTE, 3366 "wput: got CRYPTIOCSTARTDEC " 3367 "ioctl(%d)", iocp->ioc_cmd)); 3368 3369 start_stream(wq, mp, CRYPT_DECRYPT); 3370 break; 3371 case CRYPTIOCSTARTENC: 3372 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3373 SL_TRACE|SL_NOTE, 3374 "wput: got CRYPTIOCSTARTENC " 3375 "ioctl(%d)", iocp->ioc_cmd)); 3376 3377 start_stream(wq, mp, CRYPT_ENCRYPT); 3378 break; 3379 default: 3380 putnext(wq, mp); 3381 break; 3382 } 3383 break; 3384 default: 3385 if (queclass(mp) < QPCTL) { 3386 if (wq->q_first != NULL || !canputnext(wq)) { 3387 if (!putq(wq, mp)) 3388 freemsg(mp); 3389 return; 3390 } 3391 } 3392 putnext(wq, mp); 3393 break; 3394 } 3395 } 3396 3397 /* 3398 * decrypt_rcmd_mblks 3399 * 3400 * Because kerberized r* commands(rsh, rlogin, etc) 3401 * use a 4 byte length field to indicate the # of 3402 * PLAINTEXT bytes that are encrypted in the field 3403 * that follows, we must parse out each message and 3404 * break out the length fields prior to sending them 3405 * upstream to our Solaris r* clients/servers which do 3406 * NOT understand this format. 3407 * 3408 * Kerberized/encrypted message format: 3409 * ------------------------------- 3410 * | XXXX | N bytes of ciphertext| 3411 * ------------------------------- 3412 * 3413 * Where: XXXX = number of plaintext bytes that were encrypted in 3414 * to make the ciphertext field. This is done 3415 * because we are using a cipher that pads out to 3416 * an 8 byte boundary. We only want the application 3417 * layer to see the correct number of plain text bytes, 3418 * not plaintext + pad. So, after we decrypt, we 3419 * must trim the output block down to the intended 3420 * plaintext length and eliminate the pad bytes. 3421 * 3422 * This routine takes the entire input message, breaks it into 3423 * a new message that does not contain these length fields and 3424 * returns a message consisting of mblks filled with just ciphertext. 3425 * 3426 */ 3427 static mblk_t * 3428 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp) 3429 { 3430 mblk_t *newmp = NULL; 3431 size_t msglen; 3432 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3433 3434 msglen = msgsize(mp); 3435 3436 /* 3437 * If we need the length field, get it here. 3438 * Test the "plaintext length" indicator. 3439 */ 3440 if (tmi->rcmd_state.pt_len == 0) { 3441 uint32_t elen; 3442 int tocopy; 3443 mblk_t *nextp; 3444 3445 /* 3446 * Make sure we have recieved all 4 bytes of the 3447 * length field. 3448 */ 3449 while (mp != NULL) { 3450 ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t)); 3451 3452 tocopy = sizeof (uint32_t) - 3453 tmi->rcmd_state.cd_len; 3454 if (tocopy > msglen) 3455 tocopy = msglen; 3456 3457 ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp)); 3458 bcopy(mp->b_rptr, 3459 (char *)(&tmi->rcmd_state.next_len + 3460 tmi->rcmd_state.cd_len), tocopy); 3461 3462 tmi->rcmd_state.cd_len += tocopy; 3463 3464 if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) { 3465 tmi->rcmd_state.next_len = 3466 ntohl(tmi->rcmd_state.next_len); 3467 break; 3468 } 3469 3470 nextp = mp->b_cont; 3471 mp->b_cont = NULL; 3472 freeb(mp); 3473 mp = nextp; 3474 } 3475 3476 if (mp == NULL) { 3477 return (NULL); 3478 } 3479 /* 3480 * recalculate the msglen now that we've read the 3481 * length and adjusted the bufptr (b_rptr). 3482 */ 3483 msglen -= tocopy; 3484 mp->b_rptr += tocopy; 3485 3486 tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len; 3487 3488 if (tmi->rcmd_state.pt_len <= 0) { 3489 /* 3490 * Return an IO error to break the connection. there 3491 * is no way to recover from this. Usually it means 3492 * the app has incorrectly requested decryption on 3493 * a non-encrypted stream, thus the "pt_len" field 3494 * is negative. 3495 */ 3496 mp->b_datap->db_type = M_ERROR; 3497 mp->b_rptr = mp->b_datap->db_base; 3498 *mp->b_rptr = EIO; 3499 mp->b_wptr = mp->b_rptr + sizeof (char); 3500 3501 freemsg(mp->b_cont); 3502 mp->b_cont = NULL; 3503 qreply(WR(q), mp); 3504 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3505 return (NULL); 3506 } 3507 3508 /* 3509 * If this is V2 mode, then the encrypted data is actually 3510 * 4 bytes bigger than the indicated len because the plaintext 3511 * length is encrypted for an additional security check, but 3512 * its not counted as part of the overall length we just read. 3513 * Strange and confusing, but true. 3514 */ 3515 3516 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 3517 elen = tmi->rcmd_state.pt_len + 4; 3518 else 3519 elen = tmi->rcmd_state.pt_len; 3520 3521 tmi->rcmd_state.cd_len = encrypt_size(&tmi->dec_data, elen); 3522 3523 /* 3524 * Allocate an mblk to hold the cipher text until it is 3525 * all ready to be processed. 3526 */ 3527 tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len, 3528 BPRI_HI); 3529 if (tmi->rcmd_state.c_msg == NULL) { 3530 #ifdef DEBUG 3531 cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed " 3532 "for %d bytes", 3533 (int)tmi->rcmd_state.cd_len); 3534 #endif 3535 /* 3536 * Return an IO error to break the connection. 3537 */ 3538 mp->b_datap->db_type = M_ERROR; 3539 mp->b_rptr = mp->b_datap->db_base; 3540 *mp->b_rptr = EIO; 3541 mp->b_wptr = mp->b_rptr + sizeof (char); 3542 freemsg(mp->b_cont); 3543 mp->b_cont = NULL; 3544 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3545 qreply(WR(q), mp); 3546 return (NULL); 3547 } 3548 } 3549 3550 /* 3551 * If this entire message was just the length field, 3552 * free and return. The actual data will probably be next. 3553 */ 3554 if (msglen == 0) { 3555 freemsg(mp); 3556 return (NULL); 3557 } 3558 3559 /* 3560 * Copy as much of the cipher text as possible into 3561 * the new msgb (c_msg). 3562 * 3563 * Logic: if we got some bytes (msglen) and we still 3564 * "need" some bytes (len-rcvd), get them here. 3565 */ 3566 ASSERT(tmi->rcmd_state.c_msg != NULL); 3567 if (msglen > 0 && 3568 (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) { 3569 mblk_t *bp, *nextp; 3570 size_t n; 3571 3572 /* 3573 * Walk the mblks and copy just as many bytes as we need 3574 * for this particular block of cipher text. 3575 */ 3576 bp = mp; 3577 while (bp != NULL) { 3578 size_t needed; 3579 size_t tocopy; 3580 n = MBLKL(bp); 3581 3582 needed = tmi->rcmd_state.cd_len - 3583 MBLKL(tmi->rcmd_state.c_msg); 3584 3585 tocopy = (needed >= n ? n : needed); 3586 3587 ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp)); 3588 ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <= 3589 DB_LIM(tmi->rcmd_state.c_msg)); 3590 3591 /* Copy to end of new mblk */ 3592 bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr, 3593 tocopy); 3594 3595 tmi->rcmd_state.c_msg->b_wptr += tocopy; 3596 3597 bp->b_rptr += tocopy; 3598 3599 nextp = bp->b_cont; 3600 3601 /* 3602 * If we used this whole block, free it and 3603 * move on. 3604 */ 3605 if (!MBLKL(bp)) { 3606 freeb(bp); 3607 bp = NULL; 3608 } 3609 3610 /* If we got what we needed, stop the loop */ 3611 if (MBLKL(tmi->rcmd_state.c_msg) == 3612 tmi->rcmd_state.cd_len) { 3613 /* 3614 * If there is more data in the message, 3615 * its for another block of cipher text, 3616 * put it back in the queue for next time. 3617 */ 3618 if (bp) { 3619 if (!putbq(q, bp)) 3620 freemsg(bp); 3621 } else if (nextp != NULL) { 3622 /* 3623 * If there is more, put it back in the 3624 * queue for another pass thru. 3625 */ 3626 if (!putbq(q, nextp)) 3627 freemsg(nextp); 3628 } 3629 break; 3630 } 3631 bp = nextp; 3632 } 3633 } 3634 /* 3635 * Finally, if we received all the cipher text data for 3636 * this message, decrypt it into a new msg and send it up 3637 * to the app. 3638 */ 3639 if (tmi->rcmd_state.pt_len > 0 && 3640 MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) { 3641 mblk_t *bp; 3642 mblk_t *newbp; 3643 3644 /* 3645 * Now we can use our msg that we created when the 3646 * initial message boundary was detected. 3647 */ 3648 bp = tmi->rcmd_state.c_msg; 3649 tmi->rcmd_state.c_msg = NULL; 3650 3651 newbp = do_decrypt(q, bp); 3652 if (newbp != NULL) { 3653 bp = newbp; 3654 /* 3655 * If using RCMD_MODE_V2 ("new" mode), 3656 * look at the 4 byte plaintext length that 3657 * was just decrypted and compare with the 3658 * original pt_len value that was received. 3659 */ 3660 if (tmi->dec_data.option_mask & 3661 CRYPTOPT_RCMD_MODE_V2) { 3662 uint32_t pt_len2; 3663 3664 pt_len2 = *(uint32_t *)bp->b_rptr; 3665 pt_len2 = ntohl(pt_len2); 3666 /* 3667 * Make sure the 2 pt len fields agree. 3668 */ 3669 if (pt_len2 != tmi->rcmd_state.pt_len) { 3670 cmn_err(CE_WARN, 3671 "Inconsistent length fields" 3672 " received %d != %d", 3673 (int)tmi->rcmd_state.pt_len, 3674 (int)pt_len2); 3675 bp->b_datap->db_type = M_ERROR; 3676 bp->b_rptr = bp->b_datap->db_base; 3677 *bp->b_rptr = EIO; 3678 bp->b_wptr = bp->b_rptr + sizeof (char); 3679 freemsg(bp->b_cont); 3680 bp->b_cont = NULL; 3681 tmi->rcmd_state.cd_len = 0; 3682 qreply(WR(q), bp); 3683 return (NULL); 3684 } 3685 bp->b_rptr += sizeof (uint32_t); 3686 } 3687 3688 /* 3689 * Trim the decrypted block the length originally 3690 * indicated by the sender. This is to remove any 3691 * padding bytes that the sender added to satisfy 3692 * requirements of the crypto algorithm. 3693 */ 3694 bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len; 3695 3696 newmp = bp; 3697 3698 /* 3699 * Reset our state to indicate we are ready 3700 * for a new message. 3701 */ 3702 tmi->rcmd_state.pt_len = 0; 3703 tmi->rcmd_state.cd_len = 0; 3704 } else { 3705 #ifdef DEBUG 3706 cmn_err(CE_WARN, 3707 "decrypt_rcmd: do_decrypt on %d bytes failed", 3708 (int)tmi->rcmd_state.cd_len); 3709 #endif 3710 /* 3711 * do_decrypt already handled failures, just 3712 * return NULL. 3713 */ 3714 tmi->rcmd_state.pt_len = 0; 3715 tmi->rcmd_state.cd_len = 0; 3716 return (NULL); 3717 } 3718 } 3719 3720 /* 3721 * return the new message with the 'length' fields removed 3722 */ 3723 return (newmp); 3724 } 3725 3726 /* 3727 * cryptmodrsrv 3728 * 3729 * Read queue service routine 3730 * Necessary because if the ready flag is not set 3731 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data 3732 * must remain on queue and not be passed along. 3733 */ 3734 static int 3735 cryptmodrsrv(queue_t *q) 3736 { 3737 mblk_t *mp, *bp; 3738 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3739 3740 while ((mp = getq(q)) != NULL) { 3741 switch (mp->b_datap->db_type) { 3742 case M_DATA: 3743 if (canputnext(q) && tmi->ready & CRYPT_READ_READY) { 3744 /* 3745 * Process "rcmd" messages differently because 3746 * they contain a 4 byte plaintext length 3747 * id that needs to be removed. 3748 */ 3749 if (tmi->dec_data.method != CRYPT_METHOD_NONE && 3750 (tmi->dec_data.option_mask & 3751 (CRYPTOPT_RCMD_MODE_V1 | 3752 CRYPTOPT_RCMD_MODE_V2))) { 3753 mp = decrypt_rcmd_mblks(q, mp); 3754 if (mp) 3755 putnext(q, mp); 3756 continue; 3757 } 3758 if ((bp = msgpullup(mp, -1)) != NULL) { 3759 freemsg(mp); 3760 if (MBLKL(bp) > 0) { 3761 mp = do_decrypt(q, bp); 3762 if (mp != NULL) 3763 putnext(q, mp); 3764 } 3765 } 3766 } else { 3767 if (!putbq(q, mp)) { 3768 freemsg(mp); 3769 } 3770 return (0); 3771 } 3772 break; 3773 default: 3774 /* 3775 * rput does not queue anything > QPCTL, so we don't 3776 * need to check for it here. 3777 */ 3778 if (!canputnext(q)) { 3779 if (!putbq(q, mp)) 3780 freemsg(mp); 3781 return (0); 3782 } 3783 putnext(q, mp); 3784 break; 3785 } 3786 } 3787 return (0); 3788 } 3789 3790 3791 /* 3792 * Read-side put procedure. 3793 */ 3794 static void 3795 cryptmodrput(queue_t *rq, mblk_t *mp) 3796 { 3797 switch (mp->b_datap->db_type) { 3798 case M_DATA: 3799 if (!putq(rq, mp)) { 3800 freemsg(mp); 3801 } 3802 break; 3803 case M_FLUSH: 3804 if (*mp->b_rptr & FLUSHR) { 3805 flushq(rq, FLUSHALL); 3806 } 3807 putnext(rq, mp); 3808 break; 3809 default: 3810 if (queclass(mp) < QPCTL) { 3811 if (rq->q_first != NULL || !canputnext(rq)) { 3812 if (!putq(rq, mp)) 3813 freemsg(mp); 3814 return; 3815 } 3816 } 3817 putnext(rq, mp); 3818 break; 3819 } 3820 } 3821