1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 * 26 * STREAMS Crypto Module 27 * 28 * This module is used to facilitate Kerberos encryption 29 * operations for the telnet daemon and rlogin daemon. 30 * Because the Solaris telnet and rlogin daemons run mostly 31 * in-kernel via 'telmod' and 'rlmod', this module must be 32 * pushed on the STREAM *below* telmod or rlmod. 33 * 34 * Parts of the 3DES key derivation code are covered by the 35 * following copyright. 36 * 37 * Copyright (C) 1998 by the FundsXpress, INC. 38 * 39 * All rights reserved. 40 * 41 * Export of this software from the United States of America may require 42 * a specific license from the United States Government. It is the 43 * responsibility of any person or organization contemplating export to 44 * obtain such a license before exporting. 45 * 46 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 47 * distribute this software and its documentation for any purpose and 48 * without fee is hereby granted, provided that the above copyright 49 * notice appear in all copies and that both that copyright notice and 50 * this permission notice appear in supporting documentation, and that 51 * the name of FundsXpress. not be used in advertising or publicity pertaining 52 * to distribution of the software without specific, written prior 53 * permission. FundsXpress makes no representations about the suitability of 54 * this software for any purpose. It is provided "as is" without express 55 * or implied warranty. 56 * 57 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 58 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 59 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 60 */ 61 #pragma ident "%Z%%M% %I% %E% SMI" 62 63 #include <sys/types.h> 64 #include <sys/sysmacros.h> 65 #include <sys/errno.h> 66 #include <sys/debug.h> 67 #include <sys/time.h> 68 #include <sys/stropts.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/strlog.h> 72 #include <sys/cmn_err.h> 73 #include <sys/conf.h> 74 #include <sys/sunddi.h> 75 #include <sys/kmem.h> 76 #include <sys/strsun.h> 77 #include <sys/random.h> 78 #include <sys/types.h> 79 #include <sys/byteorder.h> 80 #include <sys/cryptmod.h> 81 #include <sys/crc32.h> 82 #include <sys/policy.h> 83 84 #include <sys/crypto/api.h> 85 86 #include <sys/strft.h> 87 /* 88 * Function prototypes. 89 */ 90 static int cryptmodopen(queue_t *, dev_t *, int, int, cred_t *); 91 static void cryptmodrput(queue_t *, mblk_t *); 92 static void cryptmodwput(queue_t *, mblk_t *); 93 static int cryptmodclose(queue_t *); 94 static int cryptmodwsrv(queue_t *); 95 static int cryptmodrsrv(queue_t *); 96 97 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp); 98 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp); 99 100 #define CRYPTMOD_ID 5150 101 102 #define CFB_BLKSZ 8 103 104 #define K5CLENGTH 5 105 106 static struct module_info cryptmod_minfo = { 107 CRYPTMOD_ID, /* mi_idnum */ 108 "cryptmod", /* mi_idname */ 109 0, /* mi_minpsz */ 110 INFPSZ, /* mi_maxpsz */ 111 65536, /* mi_hiwat */ 112 1024 /* mi_lowat */ 113 }; 114 115 static struct qinit cryptmod_rinit = { 116 (int (*)())cryptmodrput, /* qi_putp */ 117 cryptmodrsrv, /* qi_svc */ 118 cryptmodopen, /* qi_qopen */ 119 cryptmodclose, /* qi_qclose */ 120 NULL, /* qi_qadmin */ 121 &cryptmod_minfo, /* qi_minfo */ 122 NULL /* qi_mstat */ 123 }; 124 125 static struct qinit cryptmod_winit = { 126 (int (*)())cryptmodwput, /* qi_putp */ 127 cryptmodwsrv, /* qi_srvp */ 128 NULL, /* qi_qopen */ 129 NULL, /* qi_qclose */ 130 NULL, /* qi_qadmin */ 131 &cryptmod_minfo, /* qi_minfo */ 132 NULL /* qi_mstat */ 133 }; 134 135 static struct streamtab cryptmod_info = { 136 &cryptmod_rinit, /* st_rdinit */ 137 &cryptmod_winit, /* st_wrinit */ 138 NULL, /* st_muxrinit */ 139 NULL /* st_muxwinit */ 140 }; 141 142 typedef struct { 143 uint_t hash_len; 144 uint_t confound_len; 145 int (*hashfunc)(); 146 } hash_info_t; 147 148 #define MAX_CKSUM_LEN 20 149 #define CONFOUNDER_LEN 8 150 151 #define SHA1_HASHSIZE 20 152 #define MD5_HASHSIZE 16 153 #define CRC32_HASHSIZE 4 154 155 static int crc32_calc(uchar_t *, uchar_t *, uint_t); 156 static int md5_calc(uchar_t *, uchar_t *, uint_t); 157 static int sha1_calc(uchar_t *, uchar_t *, uint_t); 158 159 static hash_info_t null_hash = {0, 0, NULL}; 160 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc}; 161 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc}; 162 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc}; 163 164 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID; 165 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID; 166 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID; 167 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID; 168 169 static int kef_crypt(struct cipher_data_t *, void *, 170 crypto_data_format_t, size_t, int); 171 static mblk_t * 172 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *, 173 mblk_t *, hash_info_t *); 174 static mblk_t * 175 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *, 176 mblk_t *, hash_info_t *); 177 178 static int 179 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int); 180 181 /* 182 * This is the loadable module wrapper. 183 */ 184 #include <sys/modctl.h> 185 186 static struct fmodsw fsw = { 187 "cryptmod", 188 &cryptmod_info, 189 D_MP | D_MTQPAIR 190 }; 191 192 /* 193 * Module linkage information for the kernel. 194 */ 195 static struct modlstrmod modlstrmod = { 196 &mod_strmodops, 197 "STREAMS encryption module %I%", 198 &fsw 199 }; 200 201 static struct modlinkage modlinkage = { 202 MODREV_1, 203 &modlstrmod, 204 NULL 205 }; 206 207 int 208 _init(void) 209 { 210 return (mod_install(&modlinkage)); 211 } 212 213 int 214 _fini(void) 215 { 216 return (mod_remove(&modlinkage)); 217 } 218 219 int 220 _info(struct modinfo *modinfop) 221 { 222 return (mod_info(&modlinkage, modinfop)); 223 } 224 225 static void 226 cleanup(struct cipher_data_t *cd) 227 { 228 if (cd->key != NULL) { 229 bzero(cd->key, cd->keylen); 230 kmem_free(cd->key, cd->keylen); 231 cd->key = NULL; 232 } 233 234 if (cd->ckey != NULL) { 235 /* 236 * ckey is a crypto_key_t structure which references 237 * "cd->key" for its raw key data. Since that was already 238 * cleared out, we don't need another "bzero" here. 239 */ 240 kmem_free(cd->ckey, sizeof (crypto_key_t)); 241 cd->ckey = NULL; 242 } 243 244 if (cd->block != NULL) { 245 kmem_free(cd->block, cd->blocklen); 246 cd->block = NULL; 247 } 248 249 if (cd->saveblock != NULL) { 250 kmem_free(cd->saveblock, cd->blocklen); 251 cd->saveblock = NULL; 252 } 253 254 if (cd->ivec != NULL) { 255 kmem_free(cd->ivec, cd->ivlen); 256 cd->ivec = NULL; 257 } 258 259 if (cd->d_encr_key.ck_data != NULL) { 260 bzero(cd->d_encr_key.ck_data, cd->keylen); 261 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 262 } 263 264 if (cd->d_hmac_key.ck_data != NULL) { 265 bzero(cd->d_hmac_key.ck_data, cd->keylen); 266 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 267 } 268 269 if (cd->enc_tmpl != NULL) 270 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 271 272 if (cd->hmac_tmpl != NULL) 273 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 274 275 if (cd->ctx != NULL) { 276 crypto_cancel_ctx(cd->ctx); 277 cd->ctx = NULL; 278 } 279 } 280 281 /* ARGSUSED */ 282 static int 283 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp) 284 { 285 struct tmodinfo *tmi; 286 ASSERT(rq); 287 288 if (sflag != MODOPEN) 289 return (EINVAL); 290 291 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 292 "cryptmodopen: opening module(PID %d)", 293 ddi_get_pid())); 294 295 if (rq->q_ptr != NULL) { 296 cmn_err(CE_WARN, "cryptmodopen: already opened"); 297 return (0); 298 } 299 300 /* 301 * Allocate and initialize per-Stream structure. 302 */ 303 tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo), 304 KM_SLEEP); 305 306 tmi->enc_data.method = CRYPT_METHOD_NONE; 307 tmi->dec_data.method = CRYPT_METHOD_NONE; 308 309 tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY); 310 311 rq->q_ptr = WR(rq)->q_ptr = tmi; 312 313 sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC); 314 md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC); 315 sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1); 316 md5_hash_mech = crypto_mech2id(SUN_CKM_MD5); 317 318 qprocson(rq); 319 320 return (0); 321 } 322 323 static int 324 cryptmodclose(queue_t *rq) 325 { 326 struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr; 327 ASSERT(tmi); 328 329 qprocsoff(rq); 330 331 cleanup(&tmi->enc_data); 332 cleanup(&tmi->dec_data); 333 334 kmem_free(tmi, sizeof (struct tmodinfo)); 335 rq->q_ptr = WR(rq)->q_ptr = NULL; 336 337 return (0); 338 } 339 340 /* 341 * plaintext_offset 342 * 343 * Calculate exactly how much space is needed in front 344 * of the "plaintext" in an mbuf so it can be positioned 345 * 1 time instead of potentially moving the data multiple 346 * times. 347 */ 348 static int 349 plaintext_offset(struct cipher_data_t *cd) 350 { 351 int headspace = 0; 352 353 /* 4 byte length prepended to all RCMD msgs */ 354 if (ANY_RCMD_MODE(cd->option_mask)) 355 headspace += RCMD_LEN_SZ; 356 357 /* RCMD V2 mode adds an additional 4 byte plaintext length */ 358 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2) 359 headspace += RCMD_LEN_SZ; 360 361 /* Need extra space for hash and counfounder */ 362 switch (cd->method) { 363 case CRYPT_METHOD_DES_CBC_NULL: 364 headspace += null_hash.hash_len + null_hash.confound_len; 365 break; 366 case CRYPT_METHOD_DES_CBC_CRC: 367 headspace += crc32_hash.hash_len + crc32_hash.confound_len; 368 break; 369 case CRYPT_METHOD_DES_CBC_MD5: 370 headspace += md5_hash.hash_len + md5_hash.confound_len; 371 break; 372 case CRYPT_METHOD_DES3_CBC_SHA1: 373 headspace += sha1_hash.confound_len; 374 break; 375 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 376 headspace += md5_hash.hash_len + md5_hash.confound_len; 377 break; 378 case CRYPT_METHOD_AES128: 379 case CRYPT_METHOD_AES256: 380 headspace += DEFAULT_AES_BLOCKLEN; 381 break; 382 case CRYPT_METHOD_DES_CFB: 383 case CRYPT_METHOD_NONE: 384 break; 385 } 386 387 return (headspace); 388 } 389 /* 390 * encrypt_size 391 * 392 * Calculate the resulting size when encrypting 'plainlen' bytes 393 * of data. 394 */ 395 static size_t 396 encrypt_size(struct cipher_data_t *cd, size_t plainlen) 397 { 398 size_t cipherlen; 399 400 switch (cd->method) { 401 case CRYPT_METHOD_DES_CBC_NULL: 402 cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len + 403 plainlen, 8); 404 break; 405 case CRYPT_METHOD_DES_CBC_MD5: 406 cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len + 407 md5_hash.confound_len + 408 plainlen, 8); 409 break; 410 case CRYPT_METHOD_DES_CBC_CRC: 411 cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len + 412 crc32_hash.confound_len + 413 plainlen, 8); 414 break; 415 case CRYPT_METHOD_DES3_CBC_SHA1: 416 cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len + 417 plainlen, 8) + 418 sha1_hash.hash_len; 419 break; 420 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 421 cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len + 422 plainlen, 1) + md5_hash.hash_len; 423 break; 424 case CRYPT_METHOD_AES128: 425 case CRYPT_METHOD_AES256: 426 /* No roundup for AES-CBC-CTS */ 427 cipherlen = DEFAULT_AES_BLOCKLEN + plainlen + 428 AES_TRUNCATED_HMAC_LEN; 429 break; 430 case CRYPT_METHOD_DES_CFB: 431 case CRYPT_METHOD_NONE: 432 cipherlen = plainlen; 433 break; 434 } 435 436 return (cipherlen); 437 } 438 439 /* 440 * des_cfb_encrypt 441 * 442 * Encrypt the mblk data using DES with cipher feedback. 443 * 444 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit 445 * vector, D[n] is the nth chunk of 64 bits of data to encrypt 446 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted 447 * (decrypted) data, then: 448 * 449 * V[0] = DES(V[i], key) 450 * O[n] = D[n] <exclusive or > V[n] 451 * V[n+1] = DES(O[n], key) 452 * 453 * The size of the message being encrypted does not change in this 454 * algorithm, num_bytes in == num_bytes out. 455 */ 456 static mblk_t * 457 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 458 { 459 int savedbytes; 460 char *iptr, *optr, *lastoutput; 461 462 lastoutput = optr = (char *)mp->b_rptr; 463 iptr = (char *)mp->b_rptr; 464 savedbytes = tmi->enc_data.bytes % CFB_BLKSZ; 465 466 while (iptr < (char *)mp->b_wptr) { 467 /* 468 * Do DES-ECB. 469 * The first time this runs, the 'tmi->enc_data.block' will 470 * contain the initialization vector that should have been 471 * passed in with the SETUP ioctl. 472 * 473 * V[n] = DES(V[n-1], key) 474 */ 475 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 476 int retval = 0; 477 retval = kef_crypt(&tmi->enc_data, 478 tmi->enc_data.block, 479 CRYPTO_DATA_RAW, 480 tmi->enc_data.blocklen, 481 CRYPT_ENCRYPT); 482 483 if (retval != CRYPTO_SUCCESS) { 484 #ifdef DEBUG 485 cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt " 486 "failed - error 0x%0x", retval); 487 #endif 488 mp->b_datap->db_type = M_ERROR; 489 mp->b_rptr = mp->b_datap->db_base; 490 *mp->b_rptr = EIO; 491 mp->b_wptr = mp->b_rptr + sizeof (char); 492 freemsg(mp->b_cont); 493 mp->b_cont = NULL; 494 qreply(WR(q), mp); 495 return (NULL); 496 } 497 } 498 499 /* O[n] = I[n] ^ V[n] */ 500 *(optr++) = *(iptr++) ^ 501 tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ]; 502 503 tmi->enc_data.bytes++; 504 /* 505 * Feedback the encrypted output as the input to next DES call. 506 */ 507 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 508 char *dbptr = tmi->enc_data.block; 509 /* 510 * Get the last bits of input from the previous 511 * msg block that we haven't yet used as feedback input. 512 */ 513 if (savedbytes > 0) { 514 bcopy(tmi->enc_data.saveblock, 515 dbptr, (size_t)savedbytes); 516 dbptr += savedbytes; 517 } 518 519 /* 520 * Now copy the correct bytes from the current input 521 * stream and update the 'lastoutput' ptr 522 */ 523 bcopy(lastoutput, dbptr, 524 (size_t)(CFB_BLKSZ - savedbytes)); 525 526 lastoutput += (CFB_BLKSZ - savedbytes); 527 savedbytes = 0; 528 } 529 } 530 /* 531 * If there are bytes of input here that we need in the next 532 * block to build an ivec, save them off here. 533 */ 534 if (lastoutput < optr) { 535 bcopy(lastoutput, 536 tmi->enc_data.saveblock + savedbytes, 537 (uint_t)(optr - lastoutput)); 538 } 539 return (mp); 540 } 541 542 /* 543 * des_cfb_decrypt 544 * 545 * Decrypt the data in the mblk using DES in Cipher Feedback mode 546 * 547 * # bytes in == # bytes out, no padding, confounding, or hashing 548 * is added. 549 * 550 */ 551 static mblk_t * 552 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 553 { 554 uint_t len; 555 uint_t savedbytes; 556 char *iptr; 557 char *lastinput; 558 uint_t cp; 559 560 len = MBLKL(mp); 561 562 /* decrypted output goes into the new data buffer */ 563 lastinput = iptr = (char *)mp->b_rptr; 564 565 savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen; 566 567 /* 568 * Save the input CFB_BLKSZ bytes at a time. 569 * We are trying to decrypt in-place, but need to keep 570 * a small sliding window of encrypted text to be 571 * used to construct the feedback buffer. 572 */ 573 cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len : 574 tmi->dec_data.blocklen - savedbytes); 575 576 bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp); 577 savedbytes += cp; 578 579 lastinput += cp; 580 581 while (iptr < (char *)mp->b_wptr) { 582 /* 583 * Do DES-ECB. 584 * The first time this runs, the 'tmi->dec_data.block' will 585 * contain the initialization vector that should have been 586 * passed in with the SETUP ioctl. 587 */ 588 if (!(tmi->dec_data.bytes % CFB_BLKSZ)) { 589 int retval; 590 retval = kef_crypt(&tmi->dec_data, 591 tmi->dec_data.block, 592 CRYPTO_DATA_RAW, 593 tmi->dec_data.blocklen, 594 CRYPT_ENCRYPT); 595 596 if (retval != CRYPTO_SUCCESS) { 597 #ifdef DEBUG 598 cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt " 599 "failed - status 0x%0x", retval); 600 #endif 601 mp->b_datap->db_type = M_ERROR; 602 mp->b_rptr = mp->b_datap->db_base; 603 *mp->b_rptr = EIO; 604 mp->b_wptr = mp->b_rptr + sizeof (char); 605 freemsg(mp->b_cont); 606 mp->b_cont = NULL; 607 qreply(WR(q), mp); 608 return (NULL); 609 } 610 } 611 612 /* 613 * To decrypt, XOR the input with the output from the DES call 614 */ 615 *(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes % 616 CFB_BLKSZ]; 617 618 tmi->dec_data.bytes++; 619 620 /* 621 * Feedback the encrypted input for next DES call. 622 */ 623 if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) { 624 char *dbptr = tmi->dec_data.block; 625 /* 626 * Get the last bits of input from the previous block 627 * that we haven't yet processed. 628 */ 629 if (savedbytes > 0) { 630 bcopy(tmi->dec_data.saveblock, 631 dbptr, savedbytes); 632 dbptr += savedbytes; 633 } 634 635 savedbytes = 0; 636 637 /* 638 * This block makes sure that our local 639 * buffer of input data is full and can 640 * be accessed from the beginning. 641 */ 642 if (lastinput < (char *)mp->b_wptr) { 643 644 /* How many bytes are left in the mblk? */ 645 cp = (((char *)mp->b_wptr - lastinput) > 646 tmi->dec_data.blocklen ? 647 tmi->dec_data.blocklen : 648 (char *)mp->b_wptr - lastinput); 649 650 /* copy what we need */ 651 bcopy(lastinput, tmi->dec_data.saveblock, 652 cp); 653 654 lastinput += cp; 655 savedbytes = cp; 656 } 657 } 658 } 659 660 return (mp); 661 } 662 663 /* 664 * crc32_calc 665 * 666 * Compute a CRC32 checksum on the input 667 */ 668 static int 669 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len) 670 { 671 uint32_t crc; 672 673 CRC32(crc, input, len, 0, crc32_table); 674 675 buf[0] = (uchar_t)(crc & 0xff); 676 buf[1] = (uchar_t)((crc >> 8) & 0xff); 677 buf[2] = (uchar_t)((crc >> 16) & 0xff); 678 buf[3] = (uchar_t)((crc >> 24) & 0xff); 679 680 return (CRYPTO_SUCCESS); 681 } 682 683 static int 684 kef_digest(crypto_mech_type_t digest_type, 685 uchar_t *input, uint_t inlen, 686 uchar_t *output, uint_t hashlen) 687 { 688 iovec_t v1, v2; 689 crypto_data_t d1, d2; 690 crypto_mechanism_t mech; 691 int rv; 692 693 mech.cm_type = digest_type; 694 mech.cm_param = 0; 695 mech.cm_param_len = 0; 696 697 v1.iov_base = (void *)input; 698 v1.iov_len = inlen; 699 700 d1.cd_format = CRYPTO_DATA_RAW; 701 d1.cd_offset = 0; 702 d1.cd_length = v1.iov_len; 703 d1.cd_raw = v1; 704 705 v2.iov_base = (void *)output; 706 v2.iov_len = hashlen; 707 708 d2.cd_format = CRYPTO_DATA_RAW; 709 d2.cd_offset = 0; 710 d2.cd_length = v2.iov_len; 711 d2.cd_raw = v2; 712 713 rv = crypto_digest(&mech, &d1, &d2, NULL); 714 715 return (rv); 716 } 717 718 /* 719 * sha1_calc 720 * 721 * Get a SHA1 hash on the input data. 722 */ 723 static int 724 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen) 725 { 726 int rv; 727 728 rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE); 729 730 return (rv); 731 } 732 733 /* 734 * Get an MD5 hash on the input data. 735 * md5_calc 736 * 737 */ 738 static int 739 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen) 740 { 741 int rv; 742 743 rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE); 744 745 return (rv); 746 } 747 748 /* 749 * nfold 750 * duplicate the functionality of the krb5_nfold function from 751 * the userland kerberos mech. 752 * This is needed to derive keys for use with 3DES/SHA1-HMAC 753 * ciphers. 754 */ 755 static void 756 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out) 757 { 758 int a, b, c, lcm; 759 int byte, i, msbit; 760 761 inbits >>= 3; 762 outbits >>= 3; 763 764 /* first compute lcm(n,k) */ 765 a = outbits; 766 b = inbits; 767 768 while (b != 0) { 769 c = b; 770 b = a%b; 771 a = c; 772 } 773 774 lcm = outbits*inbits/a; 775 776 /* now do the real work */ 777 778 bzero(out, outbits); 779 byte = 0; 780 781 /* 782 * Compute the msbit in k which gets added into this byte 783 * first, start with the msbit in the first, unrotated byte 784 * then, for each byte, shift to the right for each repetition 785 * last, pick out the correct byte within that shifted repetition 786 */ 787 for (i = lcm-1; i >= 0; i--) { 788 msbit = (((inbits<<3)-1) 789 +(((inbits<<3)+13)*(i/inbits)) 790 +((inbits-(i%inbits))<<3)) %(inbits<<3); 791 792 /* pull out the byte value itself */ 793 byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)| 794 (in[((inbits)-(msbit>>3))%inbits])) 795 >>((msbit&7)+1))&0xff; 796 797 /* do the addition */ 798 byte += out[i%outbits]; 799 out[i%outbits] = byte&0xff; 800 801 byte >>= 8; 802 } 803 804 /* if there's a carry bit left over, add it back in */ 805 if (byte) { 806 for (i = outbits-1; i >= 0; i--) { 807 /* do the addition */ 808 byte += out[i]; 809 out[i] = byte&0xff; 810 811 /* keep around the carry bit, if any */ 812 byte >>= 8; 813 } 814 } 815 } 816 817 #define smask(step) ((1<<step)-1) 818 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step))) 819 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1) 820 821 /* 822 * Duplicate the functionality of the "dk_derive_key" function 823 * in the Kerberos mechanism. 824 */ 825 static int 826 derive_key(struct cipher_data_t *cdata, uchar_t *constdata, 827 int constlen, char *dkey, int keybytes, 828 int blocklen) 829 { 830 int rv = 0; 831 int n = 0, i; 832 char *inblock; 833 char *rawkey; 834 char *zeroblock; 835 char *saveblock; 836 837 inblock = kmem_zalloc(blocklen, KM_SLEEP); 838 rawkey = kmem_zalloc(keybytes, KM_SLEEP); 839 zeroblock = kmem_zalloc(blocklen, KM_SLEEP); 840 841 if (constlen == blocklen) 842 bcopy(constdata, inblock, blocklen); 843 else 844 nfold(constlen * 8, constdata, 845 blocklen * 8, (uchar_t *)inblock); 846 847 /* 848 * zeroblock is an IV of all 0's. 849 * 850 * The "block" section of the cdata record is used as the 851 * IV for crypto operations in the kef_crypt function. 852 * 853 * We use 'block' as a generic IV data buffer because it 854 * is attached to the stream state data and thus can 855 * be used to hold information that must carry over 856 * from processing of one mblk to another. 857 * 858 * Here, we save the current IV and replace it with 859 * and empty IV (all 0's) for use when deriving the 860 * keys. Once the key derivation is done, we swap the 861 * old IV back into place. 862 */ 863 saveblock = cdata->block; 864 cdata->block = zeroblock; 865 866 while (n < keybytes) { 867 rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW, 868 blocklen, CRYPT_ENCRYPT); 869 if (rv != CRYPTO_SUCCESS) { 870 /* put the original IV block back in place */ 871 cdata->block = saveblock; 872 cmn_err(CE_WARN, "failed to derive a key: %0x", rv); 873 goto cleanup; 874 } 875 876 if (keybytes - n < blocklen) { 877 bcopy(inblock, rawkey+n, (keybytes-n)); 878 break; 879 } 880 bcopy(inblock, rawkey+n, blocklen); 881 n += blocklen; 882 } 883 /* put the original IV block back in place */ 884 cdata->block = saveblock; 885 886 /* finally, make the key */ 887 if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) { 888 /* 889 * 3DES key derivation requires that we make sure the 890 * key has the proper parity. 891 */ 892 for (i = 0; i < 3; i++) { 893 bcopy(rawkey+(i*7), dkey+(i*8), 7); 894 895 /* 'dkey' is our derived key output buffer */ 896 dkey[i*8+7] = (((dkey[i*8]&1)<<1) | 897 ((dkey[i*8+1]&1)<<2) | 898 ((dkey[i*8+2]&1)<<3) | 899 ((dkey[i*8+3]&1)<<4) | 900 ((dkey[i*8+4]&1)<<5) | 901 ((dkey[i*8+5]&1)<<6) | 902 ((dkey[i*8+6]&1)<<7)); 903 904 for (n = 0; n < 8; n++) { 905 dkey[i*8 + n] &= 0xfe; 906 dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]); 907 } 908 } 909 } else if (IS_AES_METHOD(cdata->method)) { 910 bcopy(rawkey, dkey, keybytes); 911 } 912 cleanup: 913 kmem_free(inblock, blocklen); 914 kmem_free(zeroblock, blocklen); 915 kmem_free(rawkey, keybytes); 916 return (rv); 917 } 918 919 /* 920 * create_derived_keys 921 * 922 * Algorithm for deriving a new key and an HMAC key 923 * before computing the 3DES-SHA1-HMAC operation on the plaintext 924 * This algorithm matches the work done by Kerberos mechanism 925 * in userland. 926 */ 927 static int 928 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage, 929 crypto_key_t *enckey, crypto_key_t *hmackey) 930 { 931 uchar_t constdata[K5CLENGTH]; 932 int keybytes; 933 int rv; 934 935 constdata[0] = (usage>>24)&0xff; 936 constdata[1] = (usage>>16)&0xff; 937 constdata[2] = (usage>>8)&0xff; 938 constdata[3] = usage & 0xff; 939 /* Use "0xAA" for deriving encryption key */ 940 constdata[4] = 0xAA; /* from MIT Kerberos code */ 941 942 enckey->ck_length = cdata->keylen * 8; 943 enckey->ck_format = CRYPTO_KEY_RAW; 944 enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 945 946 switch (cdata->method) { 947 case CRYPT_METHOD_DES_CFB: 948 case CRYPT_METHOD_DES_CBC_NULL: 949 case CRYPT_METHOD_DES_CBC_MD5: 950 case CRYPT_METHOD_DES_CBC_CRC: 951 keybytes = 8; 952 break; 953 case CRYPT_METHOD_DES3_CBC_SHA1: 954 keybytes = CRYPT_DES3_KEYBYTES; 955 break; 956 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 957 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 958 keybytes = CRYPT_ARCFOUR_KEYBYTES; 959 break; 960 case CRYPT_METHOD_AES128: 961 keybytes = CRYPT_AES128_KEYBYTES; 962 break; 963 case CRYPT_METHOD_AES256: 964 keybytes = CRYPT_AES256_KEYBYTES; 965 break; 966 } 967 968 /* derive main crypto key */ 969 rv = derive_key(cdata, constdata, sizeof (constdata), 970 enckey->ck_data, keybytes, cdata->blocklen); 971 972 if (rv == CRYPTO_SUCCESS) { 973 974 /* Use "0x55" for deriving mac key */ 975 constdata[4] = 0x55; 976 977 hmackey->ck_length = cdata->keylen * 8; 978 hmackey->ck_format = CRYPTO_KEY_RAW; 979 hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 980 981 rv = derive_key(cdata, constdata, sizeof (constdata), 982 hmackey->ck_data, keybytes, 983 cdata->blocklen); 984 } else { 985 cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv); 986 } 987 988 return (rv); 989 } 990 991 /* 992 * Compute 3-DES crypto and HMAC. 993 */ 994 static int 995 kef_decr_hmac(struct cipher_data_t *cdata, 996 mblk_t *mp, int length, 997 char *hmac, int hmaclen) 998 { 999 int rv = CRYPTO_FAILED; 1000 1001 crypto_mechanism_t encr_mech; 1002 crypto_mechanism_t mac_mech; 1003 crypto_data_t dd; 1004 crypto_data_t mac; 1005 iovec_t v1; 1006 1007 ASSERT(cdata != NULL); 1008 ASSERT(mp != NULL); 1009 ASSERT(hmac != NULL); 1010 1011 bzero(&dd, sizeof (dd)); 1012 dd.cd_format = CRYPTO_DATA_MBLK; 1013 dd.cd_offset = 0; 1014 dd.cd_length = length; 1015 dd.cd_mp = mp; 1016 1017 v1.iov_base = hmac; 1018 v1.iov_len = hmaclen; 1019 1020 mac.cd_format = CRYPTO_DATA_RAW; 1021 mac.cd_offset = 0; 1022 mac.cd_length = hmaclen; 1023 mac.cd_raw = v1; 1024 1025 /* 1026 * cdata->block holds the IVEC 1027 */ 1028 encr_mech.cm_type = cdata->mech_type; 1029 encr_mech.cm_param = cdata->block; 1030 1031 if (cdata->block != NULL) 1032 encr_mech.cm_param_len = cdata->blocklen; 1033 else 1034 encr_mech.cm_param_len = 0; 1035 1036 rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key, 1037 cdata->enc_tmpl, NULL, NULL); 1038 if (rv != CRYPTO_SUCCESS) { 1039 cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv); 1040 return (rv); 1041 } 1042 1043 mac_mech.cm_type = sha1_hmac_mech; 1044 mac_mech.cm_param = NULL; 1045 mac_mech.cm_param_len = 0; 1046 1047 /* 1048 * Compute MAC of the plaintext decrypted above. 1049 */ 1050 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1051 cdata->hmac_tmpl, &mac, NULL); 1052 1053 if (rv != CRYPTO_SUCCESS) { 1054 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1055 } 1056 1057 return (rv); 1058 } 1059 1060 /* 1061 * Compute 3-DES crypto and HMAC. 1062 */ 1063 static int 1064 kef_encr_hmac(struct cipher_data_t *cdata, 1065 mblk_t *mp, int length, 1066 char *hmac, int hmaclen) 1067 { 1068 int rv = CRYPTO_FAILED; 1069 1070 crypto_mechanism_t encr_mech; 1071 crypto_mechanism_t mac_mech; 1072 crypto_data_t dd; 1073 crypto_data_t mac; 1074 iovec_t v1; 1075 1076 ASSERT(cdata != NULL); 1077 ASSERT(mp != NULL); 1078 ASSERT(hmac != NULL); 1079 1080 bzero(&dd, sizeof (dd)); 1081 dd.cd_format = CRYPTO_DATA_MBLK; 1082 dd.cd_offset = 0; 1083 dd.cd_length = length; 1084 dd.cd_mp = mp; 1085 1086 v1.iov_base = hmac; 1087 v1.iov_len = hmaclen; 1088 1089 mac.cd_format = CRYPTO_DATA_RAW; 1090 mac.cd_offset = 0; 1091 mac.cd_length = hmaclen; 1092 mac.cd_raw = v1; 1093 1094 /* 1095 * cdata->block holds the IVEC 1096 */ 1097 encr_mech.cm_type = cdata->mech_type; 1098 encr_mech.cm_param = cdata->block; 1099 1100 if (cdata->block != NULL) 1101 encr_mech.cm_param_len = cdata->blocklen; 1102 else 1103 encr_mech.cm_param_len = 0; 1104 1105 mac_mech.cm_type = sha1_hmac_mech; 1106 mac_mech.cm_param = NULL; 1107 mac_mech.cm_param_len = 0; 1108 1109 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1110 cdata->hmac_tmpl, &mac, NULL); 1111 1112 if (rv != CRYPTO_SUCCESS) { 1113 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1114 return (rv); 1115 } 1116 1117 rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key, 1118 cdata->enc_tmpl, NULL, NULL); 1119 if (rv != CRYPTO_SUCCESS) { 1120 cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv); 1121 } 1122 1123 return (rv); 1124 } 1125 1126 /* 1127 * kef_crypt 1128 * 1129 * Use the Kernel encryption framework to provide the 1130 * crypto operations for the indicated data. 1131 */ 1132 static int 1133 kef_crypt(struct cipher_data_t *cdata, 1134 void *indata, crypto_data_format_t fmt, 1135 size_t length, int mode) 1136 { 1137 int rv = CRYPTO_FAILED; 1138 1139 crypto_mechanism_t mech; 1140 crypto_key_t crkey; 1141 iovec_t v1; 1142 crypto_data_t d1; 1143 1144 ASSERT(cdata != NULL); 1145 ASSERT(indata != NULL); 1146 ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK); 1147 1148 bzero(&crkey, sizeof (crkey)); 1149 bzero(&d1, sizeof (d1)); 1150 1151 crkey.ck_format = CRYPTO_KEY_RAW; 1152 crkey.ck_data = cdata->key; 1153 1154 /* keys are measured in bits, not bytes, so multiply by 8 */ 1155 crkey.ck_length = cdata->keylen * 8; 1156 1157 if (fmt == CRYPTO_DATA_RAW) { 1158 v1.iov_base = (char *)indata; 1159 v1.iov_len = length; 1160 } 1161 1162 d1.cd_format = fmt; 1163 d1.cd_offset = 0; 1164 d1.cd_length = length; 1165 if (fmt == CRYPTO_DATA_RAW) 1166 d1.cd_raw = v1; 1167 else if (fmt == CRYPTO_DATA_MBLK) 1168 d1.cd_mp = (mblk_t *)indata; 1169 1170 mech.cm_type = cdata->mech_type; 1171 mech.cm_param = cdata->block; 1172 /* 1173 * cdata->block holds the IVEC 1174 */ 1175 if (cdata->block != NULL) 1176 mech.cm_param_len = cdata->blocklen; 1177 else 1178 mech.cm_param_len = 0; 1179 1180 /* 1181 * encrypt and decrypt in-place 1182 */ 1183 if (mode == CRYPT_ENCRYPT) 1184 rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1185 else 1186 rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1187 1188 if (rv != CRYPTO_SUCCESS) { 1189 cmn_err(CE_WARN, "%s returned error %08x", 1190 (mode == CRYPT_ENCRYPT ? "crypto_encrypt" : 1191 "crypto_decrypt"), rv); 1192 return (CRYPTO_FAILED); 1193 } 1194 1195 return (rv); 1196 } 1197 1198 static int 1199 do_hmac(crypto_mech_type_t mech, 1200 crypto_key_t *key, 1201 char *data, int datalen, 1202 char *hmac, int hmaclen) 1203 { 1204 int rv = 0; 1205 crypto_mechanism_t mac_mech; 1206 crypto_data_t dd; 1207 crypto_data_t mac; 1208 iovec_t vdata, vmac; 1209 1210 mac_mech.cm_type = mech; 1211 mac_mech.cm_param = NULL; 1212 mac_mech.cm_param_len = 0; 1213 1214 vdata.iov_base = data; 1215 vdata.iov_len = datalen; 1216 1217 bzero(&dd, sizeof (dd)); 1218 dd.cd_format = CRYPTO_DATA_RAW; 1219 dd.cd_offset = 0; 1220 dd.cd_length = datalen; 1221 dd.cd_raw = vdata; 1222 1223 vmac.iov_base = hmac; 1224 vmac.iov_len = hmaclen; 1225 1226 mac.cd_format = CRYPTO_DATA_RAW; 1227 mac.cd_offset = 0; 1228 mac.cd_length = hmaclen; 1229 mac.cd_raw = vmac; 1230 1231 /* 1232 * Compute MAC of the plaintext decrypted above. 1233 */ 1234 rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL); 1235 1236 if (rv != CRYPTO_SUCCESS) { 1237 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1238 } 1239 1240 return (rv); 1241 } 1242 1243 #define XOR_BLOCK(src, dst) \ 1244 (dst)[0] ^= (src)[0]; \ 1245 (dst)[1] ^= (src)[1]; \ 1246 (dst)[2] ^= (src)[2]; \ 1247 (dst)[3] ^= (src)[3]; \ 1248 (dst)[4] ^= (src)[4]; \ 1249 (dst)[5] ^= (src)[5]; \ 1250 (dst)[6] ^= (src)[6]; \ 1251 (dst)[7] ^= (src)[7]; \ 1252 (dst)[8] ^= (src)[8]; \ 1253 (dst)[9] ^= (src)[9]; \ 1254 (dst)[10] ^= (src)[10]; \ 1255 (dst)[11] ^= (src)[11]; \ 1256 (dst)[12] ^= (src)[12]; \ 1257 (dst)[13] ^= (src)[13]; \ 1258 (dst)[14] ^= (src)[14]; \ 1259 (dst)[15] ^= (src)[15] 1260 1261 #define xorblock(x, y) XOR_BLOCK(y, x) 1262 1263 static int 1264 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length) 1265 { 1266 int result = CRYPTO_SUCCESS; 1267 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1268 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1269 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1270 int nblocks = 0, blockno; 1271 crypto_data_t ct, pt; 1272 crypto_mechanism_t mech; 1273 1274 mech.cm_type = tmi->enc_data.mech_type; 1275 if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) { 1276 bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1277 mech.cm_param = tmi->enc_data.ivec; 1278 mech.cm_param_len = tmi->enc_data.ivlen; 1279 } else { 1280 bzero(tmp, sizeof (tmp)); 1281 mech.cm_param = NULL; 1282 mech.cm_param_len = 0; 1283 } 1284 1285 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1286 1287 bzero(&ct, sizeof (crypto_data_t)); 1288 bzero(&pt, sizeof (crypto_data_t)); 1289 1290 if (nblocks == 1) { 1291 pt.cd_format = CRYPTO_DATA_RAW; 1292 pt.cd_length = length; 1293 pt.cd_raw.iov_base = (char *)plain; 1294 pt.cd_raw.iov_len = length; 1295 1296 result = crypto_encrypt(&mech, &pt, 1297 &tmi->enc_data.d_encr_key, NULL, NULL, NULL); 1298 1299 if (result != CRYPTO_SUCCESS) { 1300 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1301 "crypto_encrypt failed: %0x", result); 1302 } 1303 } else { 1304 size_t nleft; 1305 1306 ct.cd_format = CRYPTO_DATA_RAW; 1307 ct.cd_offset = 0; 1308 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1309 1310 pt.cd_format = CRYPTO_DATA_RAW; 1311 pt.cd_offset = 0; 1312 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1313 1314 result = crypto_encrypt_init(&mech, 1315 &tmi->enc_data.d_encr_key, 1316 tmi->enc_data.enc_tmpl, 1317 &tmi->enc_data.ctx, NULL); 1318 1319 if (result != CRYPTO_SUCCESS) { 1320 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1321 "crypto_encrypt_init failed: %0x", result); 1322 goto cleanup; 1323 } 1324 1325 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1326 xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN); 1327 1328 pt.cd_raw.iov_base = (char *)tmp; 1329 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1330 1331 ct.cd_raw.iov_base = (char *)plain + 1332 blockno * DEFAULT_AES_BLOCKLEN; 1333 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1334 1335 result = crypto_encrypt_update(tmi->enc_data.ctx, 1336 &pt, &ct, NULL); 1337 1338 if (result != CRYPTO_SUCCESS) { 1339 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1340 "crypto_encrypt_update failed: %0x", 1341 result); 1342 goto cleanup; 1343 } 1344 /* copy result over original bytes */ 1345 /* make another copy for the next XOR step */ 1346 bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN, 1347 tmp, DEFAULT_AES_BLOCKLEN); 1348 } 1349 /* XOR cipher text from n-3 with plain text from n-2 */ 1350 xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1351 1352 pt.cd_raw.iov_base = (char *)tmp; 1353 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1354 1355 ct.cd_raw.iov_base = (char *)tmp2; 1356 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1357 1358 /* encrypt XOR-ed block N-2 */ 1359 result = crypto_encrypt_update(tmi->enc_data.ctx, 1360 &pt, &ct, NULL); 1361 if (result != CRYPTO_SUCCESS) { 1362 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1363 "crypto_encrypt_update(2) failed: %0x", 1364 result); 1365 goto cleanup; 1366 } 1367 nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN; 1368 1369 bzero(tmp3, sizeof (tmp3)); 1370 /* Save final plaintext bytes from n-1 */ 1371 bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1372 nleft); 1373 1374 /* Overwrite n-1 with cipher text from n-2 */ 1375 bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1376 nleft); 1377 1378 bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN); 1379 /* XOR cipher text from n-1 with plain text from n-1 */ 1380 xorblock(tmp, tmp3); 1381 1382 pt.cd_raw.iov_base = (char *)tmp; 1383 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1384 1385 ct.cd_raw.iov_base = (char *)tmp2; 1386 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1387 1388 /* encrypt block N-2 */ 1389 result = crypto_encrypt_update(tmi->enc_data.ctx, 1390 &pt, &ct, NULL); 1391 1392 if (result != CRYPTO_SUCCESS) { 1393 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1394 "crypto_encrypt_update(3) failed: %0x", 1395 result); 1396 goto cleanup; 1397 } 1398 1399 bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1400 DEFAULT_AES_BLOCKLEN); 1401 1402 1403 ct.cd_raw.iov_base = (char *)tmp2; 1404 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1405 1406 /* 1407 * Ignore the output on the final step. 1408 */ 1409 result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL); 1410 if (result != CRYPTO_SUCCESS) { 1411 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1412 "crypto_encrypt_final(3) failed: %0x", 1413 result); 1414 } 1415 tmi->enc_data.ctx = NULL; 1416 } 1417 cleanup: 1418 bzero(tmp, sizeof (tmp)); 1419 bzero(tmp2, sizeof (tmp)); 1420 bzero(tmp3, sizeof (tmp)); 1421 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 1422 return (result); 1423 } 1424 1425 static int 1426 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length) 1427 { 1428 int result = CRYPTO_SUCCESS; 1429 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1430 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1431 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1432 int nblocks = 0, blockno; 1433 crypto_data_t ct, pt; 1434 crypto_mechanism_t mech; 1435 1436 mech.cm_type = tmi->enc_data.mech_type; 1437 1438 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1439 tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) { 1440 bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1441 mech.cm_param = tmi->dec_data.ivec; 1442 mech.cm_param_len = tmi->dec_data.ivlen; 1443 } else { 1444 bzero(tmp, sizeof (tmp)); 1445 mech.cm_param_len = 0; 1446 mech.cm_param = NULL; 1447 } 1448 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1449 1450 bzero(&pt, sizeof (pt)); 1451 bzero(&ct, sizeof (ct)); 1452 1453 if (nblocks == 1) { 1454 ct.cd_format = CRYPTO_DATA_RAW; 1455 ct.cd_length = length; 1456 ct.cd_raw.iov_base = (char *)buff; 1457 ct.cd_raw.iov_len = length; 1458 1459 result = crypto_decrypt(&mech, &ct, 1460 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1461 1462 if (result != CRYPTO_SUCCESS) { 1463 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1464 "crypto_decrypt failed: %0x", result); 1465 goto cleanup; 1466 } 1467 } else { 1468 ct.cd_format = CRYPTO_DATA_RAW; 1469 ct.cd_offset = 0; 1470 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1471 1472 pt.cd_format = CRYPTO_DATA_RAW; 1473 pt.cd_offset = 0; 1474 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1475 1476 result = crypto_encrypt_init(&mech, 1477 &tmi->dec_data.d_encr_key, 1478 tmi->dec_data.enc_tmpl, 1479 &tmi->dec_data.ctx, NULL); 1480 1481 if (result != CRYPTO_SUCCESS) { 1482 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1483 "crypto_decrypt_init failed: %0x", result); 1484 goto cleanup; 1485 } 1486 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1487 ct.cd_raw.iov_base = (char *)buff + 1488 (blockno * DEFAULT_AES_BLOCKLEN); 1489 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1490 1491 pt.cd_raw.iov_base = (char *)tmp2; 1492 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1493 1494 /* 1495 * Save the input to the decrypt so it can 1496 * be used later for an XOR operation 1497 */ 1498 bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN), 1499 tmi->dec_data.block, DEFAULT_AES_BLOCKLEN); 1500 1501 result = crypto_decrypt_update(&tmi->dec_data.ctx, 1502 &ct, &pt, NULL); 1503 if (result != CRYPTO_SUCCESS) { 1504 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1505 "crypto_decrypt_update(1) error - " 1506 "result = 0x%08x", result); 1507 goto cleanup; 1508 } 1509 xorblock(tmp2, tmp); 1510 bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN, 1511 DEFAULT_AES_BLOCKLEN); 1512 /* 1513 * The original cipher text is used as the xor 1514 * for the next block, save it here. 1515 */ 1516 bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN); 1517 } 1518 ct.cd_raw.iov_base = (char *)buff + 1519 ((nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1520 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1521 pt.cd_raw.iov_base = (char *)tmp2; 1522 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1523 1524 result = crypto_decrypt_update(tmi->dec_data.ctx, 1525 &ct, &pt, NULL); 1526 if (result != CRYPTO_SUCCESS) { 1527 cmn_err(CE_WARN, 1528 "aes_cbc_cts_decrypt: " 1529 "crypto_decrypt_update(2) error -" 1530 " result = 0x%08x", result); 1531 goto cleanup; 1532 } 1533 bzero(tmp3, sizeof (tmp3)); 1534 bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1535 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1536 1537 xorblock(tmp2, tmp3); 1538 bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1539 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1540 1541 /* 2nd to last block ... */ 1542 bcopy(tmp3, tmp2, 1543 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1544 1545 ct.cd_raw.iov_base = (char *)tmp2; 1546 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1547 pt.cd_raw.iov_base = (char *)tmp3; 1548 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1549 1550 result = crypto_decrypt_update(tmi->dec_data.ctx, 1551 &ct, &pt, NULL); 1552 if (result != CRYPTO_SUCCESS) { 1553 cmn_err(CE_WARN, 1554 "aes_cbc_cts_decrypt: " 1555 "crypto_decrypt_update(3) error - " 1556 "result = 0x%08x", result); 1557 goto cleanup; 1558 } 1559 xorblock(tmp3, tmp); 1560 1561 1562 /* Finally, update the 2nd to last block and we are done. */ 1563 bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1564 DEFAULT_AES_BLOCKLEN); 1565 1566 /* Do Final step, but ignore output */ 1567 pt.cd_raw.iov_base = (char *)tmp2; 1568 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1569 result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL); 1570 if (result != CRYPTO_SUCCESS) { 1571 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1572 "crypto_decrypt_final error - " 1573 "result = 0x%0x", result); 1574 } 1575 tmi->dec_data.ctx = NULL; 1576 } 1577 1578 cleanup: 1579 bzero(tmp, sizeof (tmp)); 1580 bzero(tmp2, sizeof (tmp)); 1581 bzero(tmp3, sizeof (tmp)); 1582 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 1583 return (result); 1584 } 1585 1586 /* 1587 * AES decrypt 1588 * 1589 * format of ciphertext when using AES 1590 * +-------------+------------+------------+ 1591 * | confounder | msg-data | hmac | 1592 * +-------------+------------+------------+ 1593 */ 1594 static mblk_t * 1595 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1596 hash_info_t *hash) 1597 { 1598 int result; 1599 size_t enclen; 1600 size_t inlen; 1601 uchar_t hmacbuff[64]; 1602 uchar_t tmpiv[DEFAULT_AES_BLOCKLEN]; 1603 1604 inlen = (size_t)MBLKL(mp); 1605 1606 enclen = inlen - AES_TRUNCATED_HMAC_LEN; 1607 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1608 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) { 1609 int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) / 1610 DEFAULT_AES_BLOCKLEN; 1611 bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2), 1612 tmpiv, DEFAULT_AES_BLOCKLEN); 1613 } 1614 1615 /* AES Decrypt */ 1616 result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen); 1617 1618 if (result != CRYPTO_SUCCESS) { 1619 cmn_err(CE_WARN, 1620 "aes_decrypt: aes_cbc_cts_decrypt " 1621 "failed - error %0x", result); 1622 goto cleanup; 1623 } 1624 1625 /* Verify the HMAC */ 1626 result = do_hmac(sha1_hmac_mech, 1627 &tmi->dec_data.d_hmac_key, 1628 (char *)mp->b_rptr, enclen, 1629 (char *)hmacbuff, hash->hash_len); 1630 1631 if (result != CRYPTO_SUCCESS) { 1632 cmn_err(CE_WARN, 1633 "aes_decrypt: do_hmac failed - error %0x", result); 1634 goto cleanup; 1635 } 1636 1637 if (bcmp(hmacbuff, mp->b_rptr + enclen, 1638 AES_TRUNCATED_HMAC_LEN) != 0) { 1639 result = -1; 1640 cmn_err(CE_WARN, "aes_decrypt: checksum verification failed"); 1641 goto cleanup; 1642 } 1643 1644 /* truncate the mblk at the end of the decrypted text */ 1645 mp->b_wptr = mp->b_rptr + enclen; 1646 1647 /* Adjust the beginning of the buffer to skip the confounder */ 1648 mp->b_rptr += DEFAULT_AES_BLOCKLEN; 1649 1650 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1651 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) 1652 bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN); 1653 1654 cleanup: 1655 if (result != CRYPTO_SUCCESS) { 1656 mp->b_datap->db_type = M_ERROR; 1657 mp->b_rptr = mp->b_datap->db_base; 1658 *mp->b_rptr = EIO; 1659 mp->b_wptr = mp->b_rptr + sizeof (char); 1660 freemsg(mp->b_cont); 1661 mp->b_cont = NULL; 1662 qreply(WR(q), mp); 1663 return (NULL); 1664 } 1665 return (mp); 1666 } 1667 1668 /* 1669 * AES encrypt 1670 * 1671 * format of ciphertext when using AES 1672 * +-------------+------------+------------+ 1673 * | confounder | msg-data | hmac | 1674 * +-------------+------------+------------+ 1675 */ 1676 static mblk_t * 1677 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1678 hash_info_t *hash) 1679 { 1680 int result; 1681 size_t cipherlen; 1682 size_t inlen; 1683 uchar_t hmacbuff[64]; 1684 1685 inlen = (size_t)MBLKL(mp); 1686 1687 cipherlen = encrypt_size(&tmi->enc_data, inlen); 1688 1689 ASSERT(MBLKSIZE(mp) >= cipherlen); 1690 1691 /* 1692 * Shift the rptr back enough to insert the confounder. 1693 */ 1694 mp->b_rptr -= DEFAULT_AES_BLOCKLEN; 1695 1696 /* Get random data for confounder */ 1697 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 1698 DEFAULT_AES_BLOCKLEN); 1699 1700 /* 1701 * Because we encrypt in-place, we need to calculate 1702 * the HMAC of the plaintext now, then stick it on 1703 * the end of the ciphertext down below. 1704 */ 1705 result = do_hmac(sha1_hmac_mech, 1706 &tmi->enc_data.d_hmac_key, 1707 (char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen, 1708 (char *)hmacbuff, hash->hash_len); 1709 1710 if (result != CRYPTO_SUCCESS) { 1711 cmn_err(CE_WARN, "aes_encrypt: do_hmac failed - error %0x", 1712 result); 1713 goto cleanup; 1714 } 1715 /* Encrypt using AES-CBC-CTS */ 1716 result = aes_cbc_cts_encrypt(tmi, mp->b_rptr, 1717 inlen + DEFAULT_AES_BLOCKLEN); 1718 1719 if (result != CRYPTO_SUCCESS) { 1720 cmn_err(CE_WARN, "aes_encrypt: aes_cbc_cts_encrypt " 1721 "failed - error %0x", result); 1722 goto cleanup; 1723 } 1724 1725 /* copy the truncated HMAC to the end of the mblk */ 1726 bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen, 1727 AES_TRUNCATED_HMAC_LEN); 1728 1729 mp->b_wptr = mp->b_rptr + cipherlen; 1730 1731 /* 1732 * The final block of cipher text (not the HMAC) is used 1733 * as the next IV. 1734 */ 1735 if (tmi->enc_data.ivec_usage != IVEC_NEVER && 1736 tmi->enc_data.ivec != NULL) { 1737 int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) / 1738 DEFAULT_AES_BLOCKLEN; 1739 1740 bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1741 tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN); 1742 } 1743 1744 cleanup: 1745 if (result != CRYPTO_SUCCESS) { 1746 mp->b_datap->db_type = M_ERROR; 1747 mp->b_rptr = mp->b_datap->db_base; 1748 *mp->b_rptr = EIO; 1749 mp->b_wptr = mp->b_rptr + sizeof (char); 1750 freemsg(mp->b_cont); 1751 mp->b_cont = NULL; 1752 qreply(WR(q), mp); 1753 return (NULL); 1754 } 1755 return (mp); 1756 } 1757 1758 /* 1759 * ARCFOUR-HMAC-MD5 decrypt 1760 * 1761 * format of ciphertext when using ARCFOUR-HMAC-MD5 1762 * +-----------+------------+------------+ 1763 * | hmac | confounder | msg-data | 1764 * +-----------+------------+------------+ 1765 * 1766 */ 1767 static mblk_t * 1768 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1769 hash_info_t *hash) 1770 { 1771 int result; 1772 size_t cipherlen; 1773 size_t inlen; 1774 size_t saltlen; 1775 crypto_key_t k1, k2; 1776 crypto_data_t indata; 1777 iovec_t v1; 1778 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1779 0xab, 0xab, 0xab, 0xab }; 1780 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1781 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1782 uchar_t cksum[MD5_HASHSIZE]; 1783 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1784 crypto_mechanism_t mech; 1785 int usage; 1786 1787 /* The usage constant is 1026 for all "old" rcmd mode operations */ 1788 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 1789 usage = RCMDV1_USAGE; 1790 else 1791 usage = ARCFOUR_DECRYPT_USAGE; 1792 1793 /* 1794 * The size at this point should be the size of 1795 * all the plaintext plus the optional plaintext length 1796 * needed for RCMD V2 mode. There should also be room 1797 * at the head of the mblk for the confounder and hash info. 1798 */ 1799 inlen = (size_t)MBLKL(mp); 1800 1801 /* 1802 * The cipherlen does not include the HMAC at the 1803 * head of the buffer. 1804 */ 1805 cipherlen = inlen - hash->hash_len; 1806 1807 ASSERT(MBLKSIZE(mp) >= cipherlen); 1808 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1809 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 1810 saltdata[9] = 0; 1811 saltdata[10] = usage & 0xff; 1812 saltdata[11] = (usage >> 8) & 0xff; 1813 saltdata[12] = (usage >> 16) & 0xff; 1814 saltdata[13] = (usage >> 24) & 0xff; 1815 saltlen = 14; 1816 } else { 1817 saltdata[0] = usage & 0xff; 1818 saltdata[1] = (usage >> 8) & 0xff; 1819 saltdata[2] = (usage >> 16) & 0xff; 1820 saltdata[3] = (usage >> 24) & 0xff; 1821 saltlen = 4; 1822 } 1823 /* 1824 * Use the salt value to create a key to be used 1825 * for subsequent HMAC operations. 1826 */ 1827 result = do_hmac(md5_hmac_mech, 1828 tmi->dec_data.ckey, 1829 (char *)saltdata, saltlen, 1830 (char *)k1data, sizeof (k1data)); 1831 if (result != CRYPTO_SUCCESS) { 1832 cmn_err(CE_WARN, 1833 "arcfour_hmac_md5_decrypt: do_hmac(k1)" 1834 "failed - error %0x", result); 1835 goto cleanup; 1836 } 1837 bcopy(k1data, k2data, sizeof (k1data)); 1838 1839 /* 1840 * For the neutered MS RC4 encryption type, 1841 * set the trailing 9 bytes to 0xab per the 1842 * RC4-HMAC spec. 1843 */ 1844 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1845 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 1846 } 1847 1848 mech.cm_type = tmi->dec_data.mech_type; 1849 mech.cm_param = NULL; 1850 mech.cm_param_len = 0; 1851 1852 /* 1853 * If we have not yet initialized the decryption key, 1854 * context, and template, do it now. 1855 */ 1856 if (tmi->dec_data.ctx == NULL || 1857 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 1858 k1.ck_format = CRYPTO_KEY_RAW; 1859 k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8; 1860 k1.ck_data = k1data; 1861 1862 tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW; 1863 tmi->dec_data.d_encr_key.ck_length = k1.ck_length; 1864 if (tmi->dec_data.d_encr_key.ck_data == NULL) 1865 tmi->dec_data.d_encr_key.ck_data = kmem_zalloc( 1866 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 1867 1868 /* 1869 * HMAC operation creates the encryption 1870 * key to be used for the decrypt operations. 1871 */ 1872 result = do_hmac(md5_hmac_mech, &k1, 1873 (char *)mp->b_rptr, hash->hash_len, 1874 (char *)tmi->dec_data.d_encr_key.ck_data, 1875 CRYPT_ARCFOUR_KEYBYTES); 1876 1877 1878 if (result != CRYPTO_SUCCESS) { 1879 cmn_err(CE_WARN, 1880 "arcfour_hmac_md5_decrypt: do_hmac(k3)" 1881 "failed - error %0x", result); 1882 goto cleanup; 1883 } 1884 } 1885 1886 tmi->dec_data.enc_tmpl = NULL; 1887 1888 if (tmi->dec_data.ctx == NULL && 1889 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 1890 /* 1891 * Only create a template if we are doing 1892 * chaining from block to block. 1893 */ 1894 result = crypto_create_ctx_template(&mech, 1895 &tmi->dec_data.d_encr_key, 1896 &tmi->dec_data.enc_tmpl, 1897 KM_SLEEP); 1898 if (result == CRYPTO_NOT_SUPPORTED) { 1899 tmi->dec_data.enc_tmpl = NULL; 1900 } else if (result != CRYPTO_SUCCESS) { 1901 cmn_err(CE_WARN, 1902 "arcfour_hmac_md5_decrypt: " 1903 "failed to create dec template " 1904 "for RC4 encrypt: %0x", result); 1905 goto cleanup; 1906 } 1907 1908 result = crypto_decrypt_init(&mech, 1909 &tmi->dec_data.d_encr_key, 1910 tmi->dec_data.enc_tmpl, 1911 &tmi->dec_data.ctx, NULL); 1912 1913 if (result != CRYPTO_SUCCESS) { 1914 cmn_err(CE_WARN, "crypto_decrypt_init failed:" 1915 " %0x", result); 1916 goto cleanup; 1917 } 1918 } 1919 1920 /* adjust the rptr so we don't decrypt the original hmac field */ 1921 1922 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 1923 v1.iov_len = cipherlen; 1924 1925 indata.cd_format = CRYPTO_DATA_RAW; 1926 indata.cd_offset = 0; 1927 indata.cd_length = cipherlen; 1928 indata.cd_raw = v1; 1929 1930 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 1931 result = crypto_decrypt_update(tmi->dec_data.ctx, 1932 &indata, NULL, NULL); 1933 else 1934 result = crypto_decrypt(&mech, &indata, 1935 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1936 1937 if (result != CRYPTO_SUCCESS) { 1938 cmn_err(CE_WARN, "crypto_decrypt_update failed:" 1939 " %0x", result); 1940 goto cleanup; 1941 } 1942 1943 k2.ck_format = CRYPTO_KEY_RAW; 1944 k2.ck_length = sizeof (k2data) * 8; 1945 k2.ck_data = k2data; 1946 1947 result = do_hmac(md5_hmac_mech, 1948 &k2, 1949 (char *)mp->b_rptr + hash->hash_len, cipherlen, 1950 (char *)cksum, hash->hash_len); 1951 1952 if (result != CRYPTO_SUCCESS) { 1953 cmn_err(CE_WARN, 1954 "arcfour_hmac_md5_decrypt: do_hmac(k2)" 1955 "failed - error %0x", result); 1956 goto cleanup; 1957 } 1958 1959 if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) { 1960 cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed"); 1961 result = -1; 1962 goto cleanup; 1963 } 1964 1965 /* 1966 * adjust the start of the mblk to skip over the 1967 * hash and confounder. 1968 */ 1969 mp->b_rptr += hash->hash_len + hash->confound_len; 1970 1971 cleanup: 1972 bzero(k1data, sizeof (k1data)); 1973 bzero(k2data, sizeof (k2data)); 1974 bzero(cksum, sizeof (cksum)); 1975 bzero(saltdata, sizeof (saltdata)); 1976 if (result != CRYPTO_SUCCESS) { 1977 mp->b_datap->db_type = M_ERROR; 1978 mp->b_rptr = mp->b_datap->db_base; 1979 *mp->b_rptr = EIO; 1980 mp->b_wptr = mp->b_rptr + sizeof (char); 1981 freemsg(mp->b_cont); 1982 mp->b_cont = NULL; 1983 qreply(WR(q), mp); 1984 return (NULL); 1985 } 1986 return (mp); 1987 } 1988 1989 /* 1990 * ARCFOUR-HMAC-MD5 encrypt 1991 * 1992 * format of ciphertext when using ARCFOUR-HMAC-MD5 1993 * +-----------+------------+------------+ 1994 * | hmac | confounder | msg-data | 1995 * +-----------+------------+------------+ 1996 * 1997 */ 1998 static mblk_t * 1999 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 2000 hash_info_t *hash) 2001 { 2002 int result; 2003 size_t cipherlen; 2004 size_t inlen; 2005 size_t saltlen; 2006 crypto_key_t k1, k2; 2007 crypto_data_t indata; 2008 iovec_t v1; 2009 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 2010 0xab, 0xab, 0xab, 0xab }; 2011 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 2012 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 2013 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 2014 crypto_mechanism_t mech; 2015 int usage; 2016 2017 /* The usage constant is 1026 for all "old" rcmd mode operations */ 2018 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 2019 usage = RCMDV1_USAGE; 2020 else 2021 usage = ARCFOUR_ENCRYPT_USAGE; 2022 2023 mech.cm_type = tmi->enc_data.mech_type; 2024 mech.cm_param = NULL; 2025 mech.cm_param_len = 0; 2026 2027 /* 2028 * The size at this point should be the size of 2029 * all the plaintext plus the optional plaintext length 2030 * needed for RCMD V2 mode. There should also be room 2031 * at the head of the mblk for the confounder and hash info. 2032 */ 2033 inlen = (size_t)MBLKL(mp); 2034 2035 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2036 2037 ASSERT(MBLKSIZE(mp) >= cipherlen); 2038 2039 /* 2040 * Shift the rptr back enough to insert 2041 * the confounder and hash. 2042 */ 2043 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2044 2045 /* zero out the hash area */ 2046 bzero(mp->b_rptr, (size_t)hash->hash_len); 2047 2048 if (cipherlen > inlen) { 2049 bzero(mp->b_wptr, MBLKTAIL(mp)); 2050 } 2051 2052 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2053 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 2054 saltdata[9] = 0; 2055 saltdata[10] = usage & 0xff; 2056 saltdata[11] = (usage >> 8) & 0xff; 2057 saltdata[12] = (usage >> 16) & 0xff; 2058 saltdata[13] = (usage >> 24) & 0xff; 2059 saltlen = 14; 2060 } else { 2061 saltdata[0] = usage & 0xff; 2062 saltdata[1] = (usage >> 8) & 0xff; 2063 saltdata[2] = (usage >> 16) & 0xff; 2064 saltdata[3] = (usage >> 24) & 0xff; 2065 saltlen = 4; 2066 } 2067 /* 2068 * Use the salt value to create a key to be used 2069 * for subsequent HMAC operations. 2070 */ 2071 result = do_hmac(md5_hmac_mech, 2072 tmi->enc_data.ckey, 2073 (char *)saltdata, saltlen, 2074 (char *)k1data, sizeof (k1data)); 2075 if (result != CRYPTO_SUCCESS) { 2076 cmn_err(CE_WARN, 2077 "arcfour_hmac_md5_encrypt: do_hmac(k1)" 2078 "failed - error %0x", result); 2079 goto cleanup; 2080 } 2081 2082 bcopy(k1data, k2data, sizeof (k2data)); 2083 2084 /* 2085 * For the neutered MS RC4 encryption type, 2086 * set the trailing 9 bytes to 0xab per the 2087 * RC4-HMAC spec. 2088 */ 2089 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2090 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 2091 } 2092 2093 /* 2094 * Get the confounder bytes. 2095 */ 2096 (void) random_get_pseudo_bytes( 2097 (uint8_t *)(mp->b_rptr + hash->hash_len), 2098 (size_t)hash->confound_len); 2099 2100 k2.ck_data = k2data; 2101 k2.ck_format = CRYPTO_KEY_RAW; 2102 k2.ck_length = sizeof (k2data) * 8; 2103 2104 /* 2105 * This writes the HMAC to the hash area in the 2106 * mblk. The key used is the one just created by 2107 * the previous HMAC operation. 2108 * The data being processed is the confounder bytes 2109 * PLUS the input plaintext. 2110 */ 2111 result = do_hmac(md5_hmac_mech, &k2, 2112 (char *)mp->b_rptr + hash->hash_len, 2113 hash->confound_len + inlen, 2114 (char *)mp->b_rptr, hash->hash_len); 2115 if (result != CRYPTO_SUCCESS) { 2116 cmn_err(CE_WARN, 2117 "arcfour_hmac_md5_encrypt: do_hmac(k2)" 2118 "failed - error %0x", result); 2119 goto cleanup; 2120 } 2121 /* 2122 * Because of the odd way that MIT uses RC4 keys 2123 * on the rlogin stream, we only need to create 2124 * this key once. 2125 * However, if using "old" rcmd mode, we need to do 2126 * it every time. 2127 */ 2128 if (tmi->enc_data.ctx == NULL || 2129 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 2130 crypto_key_t *key = &tmi->enc_data.d_encr_key; 2131 2132 k1.ck_data = k1data; 2133 k1.ck_format = CRYPTO_KEY_RAW; 2134 k1.ck_length = sizeof (k1data) * 8; 2135 2136 key->ck_format = CRYPTO_KEY_RAW; 2137 key->ck_length = k1.ck_length; 2138 if (key->ck_data == NULL) 2139 key->ck_data = kmem_zalloc( 2140 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 2141 2142 /* 2143 * The final HMAC operation creates the encryption 2144 * key to be used for the encrypt operation. 2145 */ 2146 result = do_hmac(md5_hmac_mech, &k1, 2147 (char *)mp->b_rptr, hash->hash_len, 2148 (char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES); 2149 2150 if (result != CRYPTO_SUCCESS) { 2151 cmn_err(CE_WARN, 2152 "arcfour_hmac_md5_encrypt: do_hmac(k3)" 2153 "failed - error %0x", result); 2154 goto cleanup; 2155 } 2156 } 2157 2158 /* 2159 * If the context has not been initialized, do it now. 2160 */ 2161 if (tmi->enc_data.ctx == NULL && 2162 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 2163 /* 2164 * Only create a template if we are doing 2165 * chaining from block to block. 2166 */ 2167 result = crypto_create_ctx_template(&mech, 2168 &tmi->enc_data.d_encr_key, 2169 &tmi->enc_data.enc_tmpl, 2170 KM_SLEEP); 2171 if (result == CRYPTO_NOT_SUPPORTED) { 2172 tmi->enc_data.enc_tmpl = NULL; 2173 } else if (result != CRYPTO_SUCCESS) { 2174 cmn_err(CE_WARN, "failed to create enc template " 2175 "for RC4 encrypt: %0x", result); 2176 goto cleanup; 2177 } 2178 2179 result = crypto_encrypt_init(&mech, 2180 &tmi->enc_data.d_encr_key, 2181 tmi->enc_data.enc_tmpl, 2182 &tmi->enc_data.ctx, NULL); 2183 if (result != CRYPTO_SUCCESS) { 2184 cmn_err(CE_WARN, "crypto_encrypt_init failed:" 2185 " %0x", result); 2186 goto cleanup; 2187 } 2188 } 2189 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 2190 v1.iov_len = hash->confound_len + inlen; 2191 2192 indata.cd_format = CRYPTO_DATA_RAW; 2193 indata.cd_offset = 0; 2194 indata.cd_length = hash->confound_len + inlen; 2195 indata.cd_raw = v1; 2196 2197 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2198 result = crypto_encrypt_update(tmi->enc_data.ctx, 2199 &indata, NULL, NULL); 2200 else 2201 result = crypto_encrypt(&mech, &indata, 2202 &tmi->enc_data.d_encr_key, NULL, 2203 NULL, NULL); 2204 2205 if (result != CRYPTO_SUCCESS) { 2206 cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x", 2207 result); 2208 } 2209 2210 cleanup: 2211 bzero(k1data, sizeof (k1data)); 2212 bzero(k2data, sizeof (k2data)); 2213 bzero(saltdata, sizeof (saltdata)); 2214 if (result != CRYPTO_SUCCESS) { 2215 mp->b_datap->db_type = M_ERROR; 2216 mp->b_rptr = mp->b_datap->db_base; 2217 *mp->b_rptr = EIO; 2218 mp->b_wptr = mp->b_rptr + sizeof (char); 2219 freemsg(mp->b_cont); 2220 mp->b_cont = NULL; 2221 qreply(WR(q), mp); 2222 return (NULL); 2223 } 2224 return (mp); 2225 } 2226 2227 /* 2228 * DES-CBC-[HASH] encrypt 2229 * 2230 * Needed to support userland apps that must support Kerberos V5 2231 * encryption DES-CBC encryption modes. 2232 * 2233 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2234 * 2235 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2236 * +-----------+----------+-------------+-----+ 2237 * |confounder | cksum | msg-data | pad | 2238 * +-----------+----------+-------------+-----+ 2239 * 2240 * format of ciphertext when using DES3-SHA1-HMAC 2241 * +-----------+----------+-------------+-----+ 2242 * |confounder | msg-data | hmac | pad | 2243 * +-----------+----------+-------------+-----+ 2244 * 2245 * The confounder is 8 bytes of random data. 2246 * The cksum depends on the hash being used. 2247 * 4 bytes for CRC32 2248 * 16 bytes for MD5 2249 * 20 bytes for SHA1 2250 * 0 bytes for RAW 2251 * 2252 */ 2253 static mblk_t * 2254 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2255 { 2256 int result; 2257 size_t cipherlen; 2258 size_t inlen; 2259 size_t plainlen; 2260 2261 /* 2262 * The size at this point should be the size of 2263 * all the plaintext plus the optional plaintext length 2264 * needed for RCMD V2 mode. There should also be room 2265 * at the head of the mblk for the confounder and hash info. 2266 */ 2267 inlen = (size_t)MBLKL(mp); 2268 2269 /* 2270 * The output size will be a multiple of 8 because this algorithm 2271 * only works on 8 byte chunks. 2272 */ 2273 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2274 2275 ASSERT(MBLKSIZE(mp) >= cipherlen); 2276 2277 if (cipherlen > inlen) { 2278 bzero(mp->b_wptr, MBLKTAIL(mp)); 2279 } 2280 2281 /* 2282 * Shift the rptr back enough to insert 2283 * the confounder and hash. 2284 */ 2285 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2286 mp->b_rptr -= hash->confound_len; 2287 } else { 2288 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2289 2290 /* zero out the hash area */ 2291 bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len); 2292 } 2293 2294 /* get random confounder from our friend, the 'random' module */ 2295 if (hash->confound_len > 0) { 2296 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 2297 (size_t)hash->confound_len); 2298 } 2299 2300 /* 2301 * For 3DES we calculate an HMAC later. 2302 */ 2303 if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) { 2304 /* calculate chksum of confounder + input */ 2305 if (hash->hash_len > 0 && hash->hashfunc != NULL) { 2306 uchar_t cksum[MAX_CKSUM_LEN]; 2307 2308 result = hash->hashfunc(cksum, mp->b_rptr, 2309 cipherlen); 2310 if (result != CRYPTO_SUCCESS) { 2311 goto failure; 2312 } 2313 2314 /* put hash in place right after the confounder */ 2315 bcopy(cksum, (mp->b_rptr + hash->confound_len), 2316 (size_t)hash->hash_len); 2317 } 2318 } 2319 /* 2320 * In order to support the "old" Kerberos RCMD protocol, 2321 * we must use the IVEC 3 different ways: 2322 * IVEC_REUSE = keep using the same IV each time, this is 2323 * ugly and insecure, but necessary for 2324 * backwards compatibility with existing MIT code. 2325 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2326 * was setup (see setup_crypto routine). 2327 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2328 */ 2329 if (tmi->enc_data.ivec_usage == IVEC_NEVER) { 2330 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 2331 } else if (tmi->enc_data.ivec_usage == IVEC_REUSE) { 2332 bcopy(tmi->enc_data.ivec, tmi->enc_data.block, 2333 tmi->enc_data.blocklen); 2334 } 2335 2336 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2337 /* 2338 * The input length already included the hash size, 2339 * don't include this in the plaintext length 2340 * calculations. 2341 */ 2342 plainlen = cipherlen - hash->hash_len; 2343 2344 mp->b_wptr = mp->b_rptr + plainlen; 2345 2346 result = kef_encr_hmac(&tmi->enc_data, 2347 (void *)mp, (size_t)plainlen, 2348 (char *)(mp->b_rptr + plainlen), 2349 hash->hash_len); 2350 } else { 2351 ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp)); 2352 mp->b_wptr = mp->b_rptr + cipherlen; 2353 result = kef_crypt(&tmi->enc_data, (void *)mp, 2354 CRYPTO_DATA_MBLK, (size_t)cipherlen, 2355 CRYPT_ENCRYPT); 2356 } 2357 failure: 2358 if (result != CRYPTO_SUCCESS) { 2359 #ifdef DEBUG 2360 cmn_err(CE_WARN, 2361 "des_cbc_encrypt: kef_crypt encrypt " 2362 "failed (len: %ld) - error %0x", 2363 cipherlen, result); 2364 #endif 2365 mp->b_datap->db_type = M_ERROR; 2366 mp->b_rptr = mp->b_datap->db_base; 2367 *mp->b_rptr = EIO; 2368 mp->b_wptr = mp->b_rptr + sizeof (char); 2369 freemsg(mp->b_cont); 2370 mp->b_cont = NULL; 2371 qreply(WR(q), mp); 2372 return (NULL); 2373 } else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) { 2374 /* 2375 * Because we are using KEF, we must manually 2376 * update our IV. 2377 */ 2378 bcopy(mp->b_wptr - tmi->enc_data.ivlen, 2379 tmi->enc_data.block, tmi->enc_data.ivlen); 2380 } 2381 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2382 mp->b_wptr = mp->b_rptr + cipherlen; 2383 } 2384 2385 return (mp); 2386 } 2387 2388 /* 2389 * des_cbc_decrypt 2390 * 2391 * 2392 * Needed to support userland apps that must support Kerberos V5 2393 * encryption DES-CBC decryption modes. 2394 * 2395 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2396 * 2397 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2398 * +-----------+----------+-------------+-----+ 2399 * |confounder | cksum | msg-data | pad | 2400 * +-----------+----------+-------------+-----+ 2401 * 2402 * format of ciphertext when using DES3-SHA1-HMAC 2403 * +-----------+----------+-------------+-----+ 2404 * |confounder | msg-data | hmac | pad | 2405 * +-----------+----------+-------------+-----+ 2406 * 2407 * The confounder is 8 bytes of random data. 2408 * The cksum depends on the hash being used. 2409 * 4 bytes for CRC32 2410 * 16 bytes for MD5 2411 * 20 bytes for SHA1 2412 * 0 bytes for RAW 2413 * 2414 */ 2415 static mblk_t * 2416 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2417 { 2418 uint_t inlen, datalen; 2419 int result = 0; 2420 uchar_t *optr = NULL; 2421 uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN]; 2422 uchar_t nextiv[DEFAULT_DES_BLOCKLEN]; 2423 2424 /* Compute adjusted size */ 2425 inlen = MBLKL(mp); 2426 2427 optr = mp->b_rptr; 2428 2429 /* 2430 * In order to support the "old" Kerberos RCMD protocol, 2431 * we must use the IVEC 3 different ways: 2432 * IVEC_REUSE = keep using the same IV each time, this is 2433 * ugly and insecure, but necessary for 2434 * backwards compatibility with existing MIT code. 2435 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2436 * was setup (see setup_crypto routine). 2437 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2438 */ 2439 if (tmi->dec_data.ivec_usage == IVEC_NEVER) 2440 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 2441 else if (tmi->dec_data.ivec_usage == IVEC_REUSE) 2442 bcopy(tmi->dec_data.ivec, tmi->dec_data.block, 2443 tmi->dec_data.blocklen); 2444 2445 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2446 /* 2447 * Do not decrypt the HMAC at the end 2448 */ 2449 int decrypt_len = inlen - hash->hash_len; 2450 2451 /* 2452 * Move the wptr so the mblk appears to end 2453 * BEFORE the HMAC section. 2454 */ 2455 mp->b_wptr = mp->b_rptr + decrypt_len; 2456 2457 /* 2458 * Because we are using KEF, we must manually update our 2459 * IV. 2460 */ 2461 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2462 bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen, 2463 nextiv, tmi->dec_data.ivlen); 2464 } 2465 2466 result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len, 2467 (char *)newcksum, hash->hash_len); 2468 } else { 2469 /* 2470 * Because we are using KEF, we must manually update our 2471 * IV. 2472 */ 2473 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2474 bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv, 2475 tmi->dec_data.ivlen); 2476 } 2477 result = kef_crypt(&tmi->dec_data, (void *)mp, 2478 CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT); 2479 } 2480 if (result != CRYPTO_SUCCESS) { 2481 #ifdef DEBUG 2482 cmn_err(CE_WARN, 2483 "des_cbc_decrypt: kef_crypt decrypt " 2484 "failed - error %0x", result); 2485 #endif 2486 mp->b_datap->db_type = M_ERROR; 2487 mp->b_rptr = mp->b_datap->db_base; 2488 *mp->b_rptr = EIO; 2489 mp->b_wptr = mp->b_rptr + sizeof (char); 2490 freemsg(mp->b_cont); 2491 mp->b_cont = NULL; 2492 qreply(WR(q), mp); 2493 return (NULL); 2494 } 2495 2496 /* 2497 * Manually update the IV, KEF does not track this for us. 2498 */ 2499 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2500 bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen); 2501 } 2502 2503 /* Verify the checksum(if necessary) */ 2504 if (hash->hash_len > 0) { 2505 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2506 bcopy(mp->b_rptr + inlen - hash->hash_len, cksum, 2507 hash->hash_len); 2508 } else { 2509 bcopy(optr + hash->confound_len, cksum, hash->hash_len); 2510 2511 /* zero the cksum in the buffer */ 2512 ASSERT(optr + hash->confound_len + hash->hash_len <= 2513 DB_LIM(mp)); 2514 bzero(optr + hash->confound_len, hash->hash_len); 2515 2516 /* calculate MD5 chksum of confounder + input */ 2517 if (hash->hashfunc) { 2518 (void) hash->hashfunc(newcksum, optr, inlen); 2519 } 2520 } 2521 2522 if (bcmp(cksum, newcksum, hash->hash_len)) { 2523 #ifdef DEBUG 2524 cmn_err(CE_WARN, "des_cbc_decrypt: checksum " 2525 "verification failed"); 2526 #endif 2527 mp->b_datap->db_type = M_ERROR; 2528 mp->b_rptr = mp->b_datap->db_base; 2529 *mp->b_rptr = EIO; 2530 mp->b_wptr = mp->b_rptr + sizeof (char); 2531 freemsg(mp->b_cont); 2532 mp->b_cont = NULL; 2533 qreply(WR(q), mp); 2534 return (NULL); 2535 } 2536 } 2537 2538 datalen = inlen - hash->confound_len - hash->hash_len; 2539 2540 /* Move just the decrypted input into place if necessary */ 2541 if (hash->confound_len > 0 || hash->hash_len > 0) { 2542 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) 2543 mp->b_rptr += hash->confound_len; 2544 else 2545 mp->b_rptr += hash->confound_len + hash->hash_len; 2546 } 2547 2548 ASSERT(mp->b_rptr + datalen <= DB_LIM(mp)); 2549 mp->b_wptr = mp->b_rptr + datalen; 2550 2551 return (mp); 2552 } 2553 2554 static mblk_t * 2555 do_decrypt(queue_t *q, mblk_t *mp) 2556 { 2557 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2558 mblk_t *outmp; 2559 2560 switch (tmi->dec_data.method) { 2561 case CRYPT_METHOD_DES_CFB: 2562 outmp = des_cfb_decrypt(q, tmi, mp); 2563 break; 2564 case CRYPT_METHOD_NONE: 2565 outmp = mp; 2566 break; 2567 case CRYPT_METHOD_DES_CBC_NULL: 2568 outmp = des_cbc_decrypt(q, tmi, mp, &null_hash); 2569 break; 2570 case CRYPT_METHOD_DES_CBC_MD5: 2571 outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash); 2572 break; 2573 case CRYPT_METHOD_DES_CBC_CRC: 2574 outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash); 2575 break; 2576 case CRYPT_METHOD_DES3_CBC_SHA1: 2577 outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash); 2578 break; 2579 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2580 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2581 outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash); 2582 break; 2583 case CRYPT_METHOD_AES128: 2584 case CRYPT_METHOD_AES256: 2585 outmp = aes_decrypt(q, tmi, mp, &sha1_hash); 2586 break; 2587 } 2588 return (outmp); 2589 } 2590 2591 /* 2592 * do_encrypt 2593 * 2594 * Generic encryption routine for a single message block. 2595 * The input mblk may be replaced by some encrypt routines 2596 * because they add extra data in some cases that may exceed 2597 * the input mblk_t size limit. 2598 */ 2599 static mblk_t * 2600 do_encrypt(queue_t *q, mblk_t *mp) 2601 { 2602 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2603 mblk_t *outmp; 2604 2605 switch (tmi->enc_data.method) { 2606 case CRYPT_METHOD_DES_CFB: 2607 outmp = des_cfb_encrypt(q, tmi, mp); 2608 break; 2609 case CRYPT_METHOD_DES_CBC_NULL: 2610 outmp = des_cbc_encrypt(q, tmi, mp, &null_hash); 2611 break; 2612 case CRYPT_METHOD_DES_CBC_MD5: 2613 outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash); 2614 break; 2615 case CRYPT_METHOD_DES_CBC_CRC: 2616 outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash); 2617 break; 2618 case CRYPT_METHOD_DES3_CBC_SHA1: 2619 outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash); 2620 break; 2621 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2622 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2623 outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash); 2624 break; 2625 case CRYPT_METHOD_AES128: 2626 case CRYPT_METHOD_AES256: 2627 outmp = aes_encrypt(q, tmi, mp, &sha1_hash); 2628 break; 2629 case CRYPT_METHOD_NONE: 2630 outmp = mp; 2631 break; 2632 } 2633 return (outmp); 2634 } 2635 2636 /* 2637 * setup_crypto 2638 * 2639 * This takes the data from the CRYPTIOCSETUP ioctl 2640 * and sets up a cipher_data_t structure for either 2641 * encryption or decryption. This is where the 2642 * key and initialization vector data get stored 2643 * prior to beginning any crypto functions. 2644 * 2645 * Special note: 2646 * Some applications(e.g. telnetd) have ability to switch 2647 * crypto on/off periodically. Thus, the application may call 2648 * the CRYPTIOCSETUP ioctl many times for the same stream. 2649 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields 2650 * assume that the key, block, and saveblock fields that are already 2651 * set from a previous CRIOCSETUP call are still valid. This helps avoid 2652 * a rekeying error that could occur if we overwrite these fields 2653 * with each CRYPTIOCSETUP call. 2654 * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off 2655 * without resetting the original crypto parameters. 2656 * 2657 */ 2658 static int 2659 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt) 2660 { 2661 uint_t newblocklen; 2662 uint32_t enc_usage = 0, dec_usage = 0; 2663 int rv; 2664 2665 /* 2666 * Initial sanity checks 2667 */ 2668 if (!CR_METHOD_OK(ci->crypto_method)) { 2669 cmn_err(CE_WARN, "Illegal crypto method (%d)", 2670 ci->crypto_method); 2671 return (EINVAL); 2672 } 2673 if (!CR_OPTIONS_OK(ci->option_mask)) { 2674 cmn_err(CE_WARN, "Illegal crypto options (%d)", 2675 ci->option_mask); 2676 return (EINVAL); 2677 } 2678 if (!CR_IVUSAGE_OK(ci->ivec_usage)) { 2679 cmn_err(CE_WARN, "Illegal ivec usage value (%d)", 2680 ci->ivec_usage); 2681 return (EINVAL); 2682 } 2683 2684 cd->method = ci->crypto_method; 2685 cd->bytes = 0; 2686 2687 if (ci->keylen > 0) { 2688 if (cd->key != NULL) { 2689 kmem_free(cd->key, cd->keylen); 2690 cd->key = NULL; 2691 cd->keylen = 0; 2692 } 2693 /* 2694 * cd->key holds the copy of the raw key bytes passed in 2695 * from the userland app. 2696 */ 2697 cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP); 2698 2699 cd->keylen = ci->keylen; 2700 bcopy(ci->key, cd->key, (size_t)ci->keylen); 2701 } 2702 2703 /* 2704 * Configure the block size based on the type of cipher. 2705 */ 2706 switch (cd->method) { 2707 case CRYPT_METHOD_NONE: 2708 newblocklen = 0; 2709 break; 2710 case CRYPT_METHOD_DES_CFB: 2711 newblocklen = DEFAULT_DES_BLOCKLEN; 2712 cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB); 2713 break; 2714 case CRYPT_METHOD_DES_CBC_NULL: 2715 case CRYPT_METHOD_DES_CBC_MD5: 2716 case CRYPT_METHOD_DES_CBC_CRC: 2717 newblocklen = DEFAULT_DES_BLOCKLEN; 2718 cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC); 2719 break; 2720 case CRYPT_METHOD_DES3_CBC_SHA1: 2721 newblocklen = DEFAULT_DES_BLOCKLEN; 2722 cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC); 2723 /* 3DES always uses the old usage constant */ 2724 enc_usage = RCMDV1_USAGE; 2725 dec_usage = RCMDV1_USAGE; 2726 break; 2727 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2728 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2729 newblocklen = 0; 2730 cd->mech_type = crypto_mech2id(SUN_CKM_RC4); 2731 break; 2732 case CRYPT_METHOD_AES128: 2733 case CRYPT_METHOD_AES256: 2734 newblocklen = DEFAULT_AES_BLOCKLEN; 2735 cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB); 2736 enc_usage = AES_ENCRYPT_USAGE; 2737 dec_usage = AES_DECRYPT_USAGE; 2738 break; 2739 } 2740 if (cd->mech_type == CRYPTO_MECH_INVALID) { 2741 return (CRYPTO_FAILED); 2742 } 2743 2744 /* 2745 * If RC4, initialize the master crypto key used by 2746 * the RC4 algorithm to derive the final encrypt and decrypt keys. 2747 */ 2748 if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) { 2749 /* 2750 * cd->ckey is a kernel crypto key structure used as the 2751 * master key in the RC4-HMAC crypto operations. 2752 */ 2753 if (cd->ckey == NULL) { 2754 cd->ckey = (crypto_key_t *)kmem_zalloc( 2755 sizeof (crypto_key_t), KM_SLEEP); 2756 } 2757 2758 cd->ckey->ck_format = CRYPTO_KEY_RAW; 2759 cd->ckey->ck_data = cd->key; 2760 2761 /* key length for EF is measured in bits */ 2762 cd->ckey->ck_length = cd->keylen * 8; 2763 } 2764 2765 /* 2766 * cd->block and cd->saveblock are used as temporary storage for 2767 * data that must be carried over between encrypt/decrypt operations 2768 * in some of the "feedback" modes. 2769 */ 2770 if (newblocklen != cd->blocklen) { 2771 if (cd->block != NULL) { 2772 kmem_free(cd->block, cd->blocklen); 2773 cd->block = NULL; 2774 } 2775 2776 if (cd->saveblock != NULL) { 2777 kmem_free(cd->saveblock, cd->blocklen); 2778 cd->saveblock = NULL; 2779 } 2780 2781 cd->blocklen = newblocklen; 2782 if (cd->blocklen) { 2783 cd->block = (char *)kmem_zalloc((size_t)cd->blocklen, 2784 KM_SLEEP); 2785 } 2786 2787 if (cd->method == CRYPT_METHOD_DES_CFB) 2788 cd->saveblock = (char *)kmem_zalloc(cd->blocklen, 2789 KM_SLEEP); 2790 else 2791 cd->saveblock = NULL; 2792 } 2793 2794 if (ci->iveclen != cd->ivlen) { 2795 if (cd->ivec != NULL) { 2796 kmem_free(cd->ivec, cd->ivlen); 2797 cd->ivec = NULL; 2798 } 2799 if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) { 2800 cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen, 2801 KM_SLEEP); 2802 cd->ivlen = ci->iveclen; 2803 } else { 2804 cd->ivlen = 0; 2805 cd->ivec = NULL; 2806 } 2807 } 2808 cd->option_mask = ci->option_mask; 2809 2810 /* 2811 * Old protocol requires a static 'usage' value for 2812 * deriving keys. Yuk. 2813 */ 2814 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) { 2815 enc_usage = dec_usage = RCMDV1_USAGE; 2816 } 2817 2818 if (cd->ivlen > cd->blocklen) { 2819 cmn_err(CE_WARN, "setup_crypto: IV longer than block size"); 2820 return (EINVAL); 2821 } 2822 2823 /* 2824 * If we are using an IVEC "correctly" (i.e. set it once) 2825 * copy it here. 2826 */ 2827 if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL) 2828 bcopy(ci->ivec, cd->block, (size_t)cd->ivlen); 2829 2830 cd->ivec_usage = ci->ivec_usage; 2831 if (cd->ivec != NULL) { 2832 /* Save the original IVEC in case we need it later */ 2833 bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen); 2834 } 2835 /* 2836 * Special handling for 3DES-SHA1-HMAC and AES crypto: 2837 * generate derived keys and context templates 2838 * for better performance. 2839 */ 2840 if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 || 2841 IS_AES_METHOD(cd->method)) { 2842 crypto_mechanism_t enc_mech; 2843 crypto_mechanism_t hmac_mech; 2844 2845 if (cd->d_encr_key.ck_data != NULL) { 2846 bzero(cd->d_encr_key.ck_data, cd->keylen); 2847 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 2848 } 2849 2850 if (cd->d_hmac_key.ck_data != NULL) { 2851 bzero(cd->d_hmac_key.ck_data, cd->keylen); 2852 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 2853 } 2854 2855 if (cd->enc_tmpl != NULL) 2856 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 2857 2858 if (cd->hmac_tmpl != NULL) 2859 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 2860 2861 enc_mech.cm_type = cd->mech_type; 2862 enc_mech.cm_param = cd->ivec; 2863 enc_mech.cm_param_len = cd->ivlen; 2864 2865 hmac_mech.cm_type = sha1_hmac_mech; 2866 hmac_mech.cm_param = NULL; 2867 hmac_mech.cm_param_len = 0; 2868 2869 /* 2870 * Create the derived keys. 2871 */ 2872 rv = create_derived_keys(cd, 2873 (encrypt ? enc_usage : dec_usage), 2874 &cd->d_encr_key, &cd->d_hmac_key); 2875 2876 if (rv != CRYPTO_SUCCESS) { 2877 cmn_err(CE_WARN, "failed to create derived " 2878 "keys: %0x", rv); 2879 return (CRYPTO_FAILED); 2880 } 2881 2882 rv = crypto_create_ctx_template(&enc_mech, 2883 &cd->d_encr_key, 2884 &cd->enc_tmpl, KM_SLEEP); 2885 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2886 cd->enc_tmpl = NULL; 2887 } else if (rv != CRYPTO_SUCCESS) { 2888 cmn_err(CE_WARN, "failed to create enc template " 2889 "for d_encr_key: %0x", rv); 2890 return (CRYPTO_FAILED); 2891 } 2892 2893 rv = crypto_create_ctx_template(&hmac_mech, 2894 &cd->d_hmac_key, 2895 &cd->hmac_tmpl, KM_SLEEP); 2896 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2897 cd->hmac_tmpl = NULL; 2898 } else if (rv != CRYPTO_SUCCESS) { 2899 cmn_err(CE_WARN, "failed to create hmac template:" 2900 " %0x", rv); 2901 return (CRYPTO_FAILED); 2902 } 2903 } else if (IS_RC4_METHOD(cd->method)) { 2904 bzero(&cd->d_encr_key, sizeof (crypto_key_t)); 2905 bzero(&cd->d_hmac_key, sizeof (crypto_key_t)); 2906 cd->ctx = NULL; 2907 cd->enc_tmpl = NULL; 2908 cd->hmac_tmpl = NULL; 2909 } 2910 2911 /* Final sanity checks, make sure no fields are NULL */ 2912 if (cd->method != CRYPT_METHOD_NONE) { 2913 if (cd->block == NULL && cd->blocklen > 0) { 2914 #ifdef DEBUG 2915 cmn_err(CE_WARN, 2916 "setup_crypto: IV block not allocated"); 2917 #endif 2918 return (ENOMEM); 2919 } 2920 if (cd->key == NULL && cd->keylen > 0) { 2921 #ifdef DEBUG 2922 cmn_err(CE_WARN, 2923 "setup_crypto: key block not allocated"); 2924 #endif 2925 return (ENOMEM); 2926 } 2927 if (cd->method == CRYPT_METHOD_DES_CFB && 2928 cd->saveblock == NULL && cd->blocklen > 0) { 2929 #ifdef DEBUG 2930 cmn_err(CE_WARN, 2931 "setup_crypto: save block not allocated"); 2932 #endif 2933 return (ENOMEM); 2934 } 2935 if (cd->ivec == NULL && cd->ivlen > 0) { 2936 #ifdef DEBUG 2937 cmn_err(CE_WARN, 2938 "setup_crypto: IV not allocated"); 2939 #endif 2940 return (ENOMEM); 2941 } 2942 } 2943 return (0); 2944 } 2945 2946 /* 2947 * RCMDS require a 4 byte, clear text 2948 * length field before each message. 2949 * Add it now. 2950 */ 2951 static mblk_t * 2952 mklenmp(mblk_t *bp, uint32_t len) 2953 { 2954 mblk_t *lenmp; 2955 uchar_t *ucp; 2956 2957 if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) { 2958 lenmp = allocb(4, BPRI_MED); 2959 if (lenmp != NULL) { 2960 lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp); 2961 linkb(lenmp, bp); 2962 bp = lenmp; 2963 } 2964 } 2965 ucp = bp->b_rptr; 2966 *--ucp = len; 2967 *--ucp = len >> 8; 2968 *--ucp = len >> 16; 2969 *--ucp = len >> 24; 2970 2971 bp->b_rptr = ucp; 2972 2973 return (bp); 2974 } 2975 2976 /* 2977 * encrypt_msgb 2978 * 2979 * encrypt a single message. This routine adds the 2980 * RCMD overhead bytes when necessary. 2981 */ 2982 static mblk_t * 2983 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 2984 { 2985 mblk_t *newmp; 2986 size_t plainlen; 2987 size_t headspace; 2988 2989 if (tmi->enc_data.method == CRYPT_METHOD_NONE) { 2990 return (mp); 2991 } 2992 2993 /* 2994 * process message 2995 */ 2996 newmp = NULL; 2997 if ((plainlen = MBLKL(mp)) > 0) { 2998 mblk_t *cbp; 2999 size_t cipherlen; 3000 size_t extra = 0; 3001 uint32_t ptlen = (uint32_t)plainlen; 3002 3003 /* 3004 * If we are using the "NEW" RCMD mode, 3005 * add 4 bytes to the plaintext for the 3006 * plaintext length that gets prepended 3007 * before encrypting. 3008 */ 3009 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 3010 ptlen += 4; 3011 3012 cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen); 3013 3014 /* 3015 * if we must allocb, then make sure its enough 3016 * to hold the length field so we dont have to allocb 3017 * again down below in 'mklenmp' 3018 */ 3019 if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) { 3020 extra = sizeof (uint32_t); 3021 } 3022 3023 /* 3024 * Calculate how much space is needed in front of 3025 * the data. 3026 */ 3027 headspace = plaintext_offset(&tmi->enc_data); 3028 3029 /* 3030 * If the current block is too small, reallocate 3031 * one large enough to hold the hdr, tail, and 3032 * ciphertext. 3033 */ 3034 if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) { 3035 int sz = P2ROUNDUP(cipherlen+extra, 8); 3036 3037 cbp = allocb_tmpl(sz, mp); 3038 if (cbp == NULL) { 3039 cmn_err(CE_WARN, 3040 "allocb (%d bytes) failed", sz); 3041 return (NULL); 3042 } 3043 3044 cbp->b_cont = mp->b_cont; 3045 3046 /* 3047 * headspace includes the length fields needed 3048 * for the RCMD modes (v1 == 4 bytes, V2 = 8) 3049 */ 3050 cbp->b_rptr = DB_BASE(cbp) + headspace; 3051 3052 ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen, 8) 3053 <= DB_LIM(cbp)); 3054 3055 bcopy(mp->b_rptr, cbp->b_rptr, plainlen); 3056 cbp->b_wptr = cbp->b_rptr + plainlen; 3057 3058 freeb(mp); 3059 } else { 3060 size_t extra = 0; 3061 cbp = mp; 3062 3063 /* 3064 * Some ciphers add HMAC after the final block 3065 * of the ciphertext, not at the beginning like the 3066 * 1-DES ciphers. 3067 */ 3068 if (tmi->enc_data.method == 3069 CRYPT_METHOD_DES3_CBC_SHA1 || 3070 IS_AES_METHOD(tmi->enc_data.method)) { 3071 extra = sha1_hash.hash_len; 3072 } 3073 3074 /* 3075 * Make sure the rptr is positioned correctly so that 3076 * routines later do not have to shift this data around 3077 */ 3078 if ((cbp->b_rptr + P2ROUNDUP(plainlen + extra, 8) > 3079 DB_LIM(cbp)) || 3080 (cbp->b_rptr - headspace < DB_BASE(cbp))) { 3081 ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace, 3082 plainlen); 3083 cbp->b_rptr = DB_BASE(cbp) + headspace; 3084 cbp->b_wptr = cbp->b_rptr + plainlen; 3085 } 3086 } 3087 3088 ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp)); 3089 ASSERT(cbp->b_wptr <= DB_LIM(cbp)); 3090 3091 /* 3092 * If using RCMD_MODE_V2 (new rcmd mode), prepend 3093 * the plaintext length before the actual plaintext. 3094 */ 3095 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) { 3096 cbp->b_rptr -= RCMD_LEN_SZ; 3097 3098 /* put plaintext length at head of buffer */ 3099 *(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff); 3100 *(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff); 3101 *(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff); 3102 *(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff); 3103 } 3104 3105 newmp = do_encrypt(q, cbp); 3106 3107 if (newmp != NULL && 3108 (tmi->enc_data.option_mask & 3109 (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) { 3110 mblk_t *lp; 3111 /* 3112 * Add length field, required when this is 3113 * used to encrypt "r*" commands(rlogin, rsh) 3114 * with Kerberos. 3115 */ 3116 lp = mklenmp(newmp, plainlen); 3117 3118 if (lp == NULL) { 3119 freeb(newmp); 3120 return (NULL); 3121 } else { 3122 newmp = lp; 3123 } 3124 } 3125 } else { 3126 freeb(mp); 3127 } 3128 3129 return (newmp); 3130 } 3131 3132 /* 3133 * cryptmodwsrv 3134 * 3135 * Service routine for the write queue. 3136 * 3137 * Because data may be placed in the queue to hold between 3138 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed. 3139 */ 3140 static int 3141 cryptmodwsrv(queue_t *q) 3142 { 3143 mblk_t *mp; 3144 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3145 3146 while ((mp = getq(q)) != NULL) { 3147 switch (mp->b_datap->db_type) { 3148 default: 3149 /* 3150 * wput does not queue anything > QPCTL 3151 */ 3152 if (!canputnext(q) || 3153 !(tmi->ready & CRYPT_WRITE_READY)) { 3154 if (!putbq(q, mp)) { 3155 freemsg(mp); 3156 } 3157 return (0); 3158 } 3159 putnext(q, mp); 3160 break; 3161 case M_DATA: 3162 if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) { 3163 mblk_t *bp; 3164 mblk_t *newmsg = NULL; 3165 3166 /* 3167 * If multiple msgs, concat into 1 3168 * to minimize crypto operations later. 3169 */ 3170 if (mp->b_cont != NULL) { 3171 bp = msgpullup(mp, -1); 3172 if (bp != NULL) { 3173 freemsg(mp); 3174 mp = bp; 3175 } 3176 } 3177 newmsg = encrypt_msgb(q, tmi, mp); 3178 if (newmsg != NULL) 3179 putnext(q, newmsg); 3180 } else { 3181 if (!putbq(q, mp)) { 3182 freemsg(mp); 3183 } 3184 return (0); 3185 } 3186 break; 3187 } 3188 } 3189 return (0); 3190 } 3191 3192 static void 3193 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir) 3194 { 3195 mblk_t *newmp = NULL; 3196 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3197 3198 if (dir == CRYPT_ENCRYPT) { 3199 tmi->ready |= CRYPT_WRITE_READY; 3200 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 3201 "start_stream: restart ENCRYPT/WRITE q")); 3202 3203 enableok(wq); 3204 qenable(wq); 3205 } else if (dir == CRYPT_DECRYPT) { 3206 /* 3207 * put any extra data in the RD 3208 * queue to be processed and 3209 * sent back up. 3210 */ 3211 newmp = mp->b_cont; 3212 mp->b_cont = NULL; 3213 3214 tmi->ready |= CRYPT_READ_READY; 3215 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3216 SL_TRACE|SL_NOTE, 3217 "start_stream: restart " 3218 "DECRYPT/READ q")); 3219 3220 if (newmp != NULL) 3221 if (!putbq(RD(wq), newmp)) 3222 freemsg(newmp); 3223 3224 enableok(RD(wq)); 3225 qenable(RD(wq)); 3226 } 3227 3228 miocack(wq, mp, 0, 0); 3229 } 3230 3231 /* 3232 * Write-side put procedure. Its main task is to detect ioctls and 3233 * FLUSH operations. Other message types are passed on through. 3234 */ 3235 static void 3236 cryptmodwput(queue_t *wq, mblk_t *mp) 3237 { 3238 struct iocblk *iocp; 3239 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3240 int ret, err; 3241 3242 switch (mp->b_datap->db_type) { 3243 case M_DATA: 3244 if (wq->q_first == NULL && canputnext(wq) && 3245 (tmi->ready & CRYPT_WRITE_READY) && 3246 tmi->enc_data.method == CRYPT_METHOD_NONE) { 3247 putnext(wq, mp); 3248 return; 3249 } 3250 /* else, put it in the service queue */ 3251 if (!putq(wq, mp)) { 3252 freemsg(mp); 3253 } 3254 break; 3255 case M_FLUSH: 3256 if (*mp->b_rptr & FLUSHW) { 3257 flushq(wq, FLUSHDATA); 3258 } 3259 putnext(wq, mp); 3260 break; 3261 case M_IOCTL: 3262 iocp = (struct iocblk *)mp->b_rptr; 3263 switch (iocp->ioc_cmd) { 3264 case CRYPTIOCSETUP: 3265 ret = 0; 3266 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3267 SL_TRACE | SL_NOTE, 3268 "wput: got CRYPTIOCSETUP " 3269 "ioctl(%d)", iocp->ioc_cmd)); 3270 3271 if ((err = miocpullup(mp, 3272 sizeof (struct cr_info_t))) != 0) { 3273 cmn_err(CE_WARN, 3274 "wput: miocpullup failed for cr_info_t"); 3275 miocnak(wq, mp, 0, err); 3276 } else { 3277 struct cr_info_t *ci; 3278 ci = (struct cr_info_t *)mp->b_cont->b_rptr; 3279 3280 if (ci->direction_mask & CRYPT_ENCRYPT) { 3281 ret = setup_crypto(ci, &tmi->enc_data, 1); 3282 } 3283 3284 if (ret == 0 && 3285 (ci->direction_mask & CRYPT_DECRYPT)) { 3286 ret = setup_crypto(ci, &tmi->dec_data, 0); 3287 } 3288 if (ret == 0 && 3289 (ci->direction_mask & CRYPT_DECRYPT) && 3290 ANY_RCMD_MODE(tmi->dec_data.option_mask)) { 3291 bzero(&tmi->rcmd_state, 3292 sizeof (tmi->rcmd_state)); 3293 } 3294 if (ret == 0) { 3295 miocack(wq, mp, 0, 0); 3296 } else { 3297 cmn_err(CE_WARN, 3298 "wput: setup_crypto failed"); 3299 miocnak(wq, mp, 0, ret); 3300 } 3301 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3302 SL_TRACE|SL_NOTE, 3303 "wput: done with SETUP " 3304 "ioctl")); 3305 } 3306 break; 3307 case CRYPTIOCSTOP: 3308 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3309 SL_TRACE|SL_NOTE, 3310 "wput: got CRYPTIOCSTOP " 3311 "ioctl(%d)", iocp->ioc_cmd)); 3312 3313 if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) { 3314 cmn_err(CE_WARN, 3315 "wput: CRYPTIOCSTOP ioctl wrong " 3316 "size (%d should be %d)", 3317 (int)iocp->ioc_count, 3318 (int)sizeof (uint32_t)); 3319 miocnak(wq, mp, 0, err); 3320 } else { 3321 uint32_t *stopdir; 3322 3323 stopdir = (uint32_t *)mp->b_cont->b_rptr; 3324 if (!CR_DIRECTION_OK(*stopdir)) { 3325 miocnak(wq, mp, 0, EINVAL); 3326 return; 3327 } 3328 3329 /* disable the queues until further notice */ 3330 if (*stopdir & CRYPT_ENCRYPT) { 3331 noenable(wq); 3332 tmi->ready &= ~CRYPT_WRITE_READY; 3333 } 3334 if (*stopdir & CRYPT_DECRYPT) { 3335 noenable(RD(wq)); 3336 tmi->ready &= ~CRYPT_READ_READY; 3337 } 3338 3339 miocack(wq, mp, 0, 0); 3340 } 3341 break; 3342 case CRYPTIOCSTARTDEC: 3343 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3344 SL_TRACE|SL_NOTE, 3345 "wput: got CRYPTIOCSTARTDEC " 3346 "ioctl(%d)", iocp->ioc_cmd)); 3347 3348 start_stream(wq, mp, CRYPT_DECRYPT); 3349 break; 3350 case CRYPTIOCSTARTENC: 3351 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3352 SL_TRACE|SL_NOTE, 3353 "wput: got CRYPTIOCSTARTENC " 3354 "ioctl(%d)", iocp->ioc_cmd)); 3355 3356 start_stream(wq, mp, CRYPT_ENCRYPT); 3357 break; 3358 default: 3359 putnext(wq, mp); 3360 break; 3361 } 3362 break; 3363 default: 3364 if (queclass(mp) < QPCTL) { 3365 if (wq->q_first != NULL || !canputnext(wq)) { 3366 if (!putq(wq, mp)) 3367 freemsg(mp); 3368 return; 3369 } 3370 } 3371 putnext(wq, mp); 3372 break; 3373 } 3374 } 3375 3376 /* 3377 * decrypt_rcmd_mblks 3378 * 3379 * Because kerberized r* commands(rsh, rlogin, etc) 3380 * use a 4 byte length field to indicate the # of 3381 * PLAINTEXT bytes that are encrypted in the field 3382 * that follows, we must parse out each message and 3383 * break out the length fields prior to sending them 3384 * upstream to our Solaris r* clients/servers which do 3385 * NOT understand this format. 3386 * 3387 * Kerberized/encrypted message format: 3388 * ------------------------------- 3389 * | XXXX | N bytes of ciphertext| 3390 * ------------------------------- 3391 * 3392 * Where: XXXX = number of plaintext bytes that were encrypted in 3393 * to make the ciphertext field. This is done 3394 * because we are using a cipher that pads out to 3395 * an 8 byte boundary. We only want the application 3396 * layer to see the correct number of plain text bytes, 3397 * not plaintext + pad. So, after we decrypt, we 3398 * must trim the output block down to the intended 3399 * plaintext length and eliminate the pad bytes. 3400 * 3401 * This routine takes the entire input message, breaks it into 3402 * a new message that does not contain these length fields and 3403 * returns a message consisting of mblks filled with just ciphertext. 3404 * 3405 */ 3406 static mblk_t * 3407 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp) 3408 { 3409 mblk_t *newmp = NULL; 3410 size_t msglen; 3411 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3412 3413 msglen = msgsize(mp); 3414 3415 /* 3416 * If we need the length field, get it here. 3417 * Test the "plaintext length" indicator. 3418 */ 3419 if (tmi->rcmd_state.pt_len == 0) { 3420 uint32_t elen; 3421 int tocopy; 3422 mblk_t *nextp; 3423 3424 /* 3425 * Make sure we have recieved all 4 bytes of the 3426 * length field. 3427 */ 3428 while (mp != NULL) { 3429 ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t)); 3430 3431 tocopy = sizeof (uint32_t) - 3432 tmi->rcmd_state.cd_len; 3433 if (tocopy > msglen) 3434 tocopy = msglen; 3435 3436 ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp)); 3437 bcopy(mp->b_rptr, 3438 (char *)(&tmi->rcmd_state.next_len + 3439 tmi->rcmd_state.cd_len), tocopy); 3440 3441 tmi->rcmd_state.cd_len += tocopy; 3442 3443 if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) { 3444 tmi->rcmd_state.next_len = 3445 ntohl(tmi->rcmd_state.next_len); 3446 break; 3447 } 3448 3449 nextp = mp->b_cont; 3450 mp->b_cont = NULL; 3451 freeb(mp); 3452 mp = nextp; 3453 } 3454 3455 if (mp == NULL) { 3456 return (NULL); 3457 } 3458 /* 3459 * recalculate the msglen now that we've read the 3460 * length and adjusted the bufptr (b_rptr). 3461 */ 3462 msglen -= tocopy; 3463 mp->b_rptr += tocopy; 3464 3465 tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len; 3466 3467 if (tmi->rcmd_state.pt_len <= 0) { 3468 /* 3469 * Return an IO error to break the connection. there 3470 * is no way to recover from this. Usually it means 3471 * the app has incorrectly requested decryption on 3472 * a non-encrypted stream, thus the "pt_len" field 3473 * is negative. 3474 */ 3475 mp->b_datap->db_type = M_ERROR; 3476 mp->b_rptr = mp->b_datap->db_base; 3477 *mp->b_rptr = EIO; 3478 mp->b_wptr = mp->b_rptr + sizeof (char); 3479 3480 freemsg(mp->b_cont); 3481 mp->b_cont = NULL; 3482 qreply(WR(q), mp); 3483 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3484 return (NULL); 3485 } 3486 3487 /* 3488 * If this is V2 mode, then the encrypted data is actually 3489 * 4 bytes bigger than the indicated len because the plaintext 3490 * length is encrypted for an additional security check, but 3491 * its not counted as part of the overall length we just read. 3492 * Strange and confusing, but true. 3493 */ 3494 3495 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 3496 elen = tmi->rcmd_state.pt_len + 4; 3497 else 3498 elen = tmi->rcmd_state.pt_len; 3499 3500 tmi->rcmd_state.cd_len = encrypt_size(&tmi->dec_data, elen); 3501 3502 /* 3503 * Allocate an mblk to hold the cipher text until it is 3504 * all ready to be processed. 3505 */ 3506 tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len, 3507 BPRI_HI); 3508 if (tmi->rcmd_state.c_msg == NULL) { 3509 #ifdef DEBUG 3510 cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed " 3511 "for %d bytes", 3512 (int)tmi->rcmd_state.cd_len); 3513 #endif 3514 /* 3515 * Return an IO error to break the connection. 3516 */ 3517 mp->b_datap->db_type = M_ERROR; 3518 mp->b_rptr = mp->b_datap->db_base; 3519 *mp->b_rptr = EIO; 3520 mp->b_wptr = mp->b_rptr + sizeof (char); 3521 freemsg(mp->b_cont); 3522 mp->b_cont = NULL; 3523 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3524 qreply(WR(q), mp); 3525 return (NULL); 3526 } 3527 } 3528 3529 /* 3530 * If this entire message was just the length field, 3531 * free and return. The actual data will probably be next. 3532 */ 3533 if (msglen == 0) { 3534 freemsg(mp); 3535 return (NULL); 3536 } 3537 3538 /* 3539 * Copy as much of the cipher text as possible into 3540 * the new msgb (c_msg). 3541 * 3542 * Logic: if we got some bytes (msglen) and we still 3543 * "need" some bytes (len-rcvd), get them here. 3544 */ 3545 ASSERT(tmi->rcmd_state.c_msg != NULL); 3546 if (msglen > 0 && 3547 (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) { 3548 mblk_t *bp, *nextp; 3549 size_t n; 3550 3551 /* 3552 * Walk the mblks and copy just as many bytes as we need 3553 * for this particular block of cipher text. 3554 */ 3555 bp = mp; 3556 while (bp != NULL) { 3557 size_t needed; 3558 size_t tocopy; 3559 n = MBLKL(bp); 3560 3561 needed = tmi->rcmd_state.cd_len - 3562 MBLKL(tmi->rcmd_state.c_msg); 3563 3564 tocopy = (needed >= n ? n : needed); 3565 3566 ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp)); 3567 ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <= 3568 DB_LIM(tmi->rcmd_state.c_msg)); 3569 3570 /* Copy to end of new mblk */ 3571 bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr, 3572 tocopy); 3573 3574 tmi->rcmd_state.c_msg->b_wptr += tocopy; 3575 3576 bp->b_rptr += tocopy; 3577 3578 nextp = bp->b_cont; 3579 3580 /* 3581 * If we used this whole block, free it and 3582 * move on. 3583 */ 3584 if (!MBLKL(bp)) { 3585 freeb(bp); 3586 bp = NULL; 3587 } 3588 3589 /* If we got what we needed, stop the loop */ 3590 if (MBLKL(tmi->rcmd_state.c_msg) == 3591 tmi->rcmd_state.cd_len) { 3592 /* 3593 * If there is more data in the message, 3594 * its for another block of cipher text, 3595 * put it back in the queue for next time. 3596 */ 3597 if (bp) { 3598 if (!putbq(q, bp)) 3599 freemsg(bp); 3600 } else if (nextp != NULL) { 3601 /* 3602 * If there is more, put it back in the 3603 * queue for another pass thru. 3604 */ 3605 if (!putbq(q, nextp)) 3606 freemsg(nextp); 3607 } 3608 break; 3609 } 3610 bp = nextp; 3611 } 3612 } 3613 /* 3614 * Finally, if we received all the cipher text data for 3615 * this message, decrypt it into a new msg and send it up 3616 * to the app. 3617 */ 3618 if (tmi->rcmd_state.pt_len > 0 && 3619 MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) { 3620 mblk_t *bp; 3621 mblk_t *newbp; 3622 3623 /* 3624 * Now we can use our msg that we created when the 3625 * initial message boundary was detected. 3626 */ 3627 bp = tmi->rcmd_state.c_msg; 3628 tmi->rcmd_state.c_msg = NULL; 3629 3630 newbp = do_decrypt(q, bp); 3631 if (newbp != NULL) { 3632 bp = newbp; 3633 /* 3634 * If using RCMD_MODE_V2 ("new" mode), 3635 * look at the 4 byte plaintext length that 3636 * was just decrypted and compare with the 3637 * original pt_len value that was received. 3638 */ 3639 if (tmi->dec_data.option_mask & 3640 CRYPTOPT_RCMD_MODE_V2) { 3641 uint32_t pt_len2; 3642 3643 pt_len2 = *(uint32_t *)bp->b_rptr; 3644 pt_len2 = ntohl(pt_len2); 3645 /* 3646 * Make sure the 2 pt len fields agree. 3647 */ 3648 if (pt_len2 != tmi->rcmd_state.pt_len) { 3649 cmn_err(CE_WARN, 3650 "Inconsistent length fields" 3651 " received %d != %d", 3652 (int)tmi->rcmd_state.pt_len, 3653 (int)pt_len2); 3654 bp->b_datap->db_type = M_ERROR; 3655 bp->b_rptr = bp->b_datap->db_base; 3656 *bp->b_rptr = EIO; 3657 bp->b_wptr = bp->b_rptr + sizeof (char); 3658 freemsg(bp->b_cont); 3659 bp->b_cont = NULL; 3660 tmi->rcmd_state.cd_len = 0; 3661 qreply(WR(q), bp); 3662 return (NULL); 3663 } 3664 bp->b_rptr += sizeof (uint32_t); 3665 } 3666 3667 /* 3668 * Trim the decrypted block the length originally 3669 * indicated by the sender. This is to remove any 3670 * padding bytes that the sender added to satisfy 3671 * requirements of the crypto algorithm. 3672 */ 3673 bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len; 3674 3675 newmp = bp; 3676 3677 /* 3678 * Reset our state to indicate we are ready 3679 * for a new message. 3680 */ 3681 tmi->rcmd_state.pt_len = 0; 3682 tmi->rcmd_state.cd_len = 0; 3683 } else { 3684 #ifdef DEBUG 3685 cmn_err(CE_WARN, 3686 "decrypt_rcmd: do_decrypt on %d bytes failed", 3687 (int)tmi->rcmd_state.cd_len); 3688 #endif 3689 /* 3690 * do_decrypt already handled failures, just 3691 * return NULL. 3692 */ 3693 tmi->rcmd_state.pt_len = 0; 3694 tmi->rcmd_state.cd_len = 0; 3695 return (NULL); 3696 } 3697 } 3698 3699 /* 3700 * return the new message with the 'length' fields removed 3701 */ 3702 return (newmp); 3703 } 3704 3705 /* 3706 * cryptmodrsrv 3707 * 3708 * Read queue service routine 3709 * Necessary because if the ready flag is not set 3710 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data 3711 * must remain on queue and not be passed along. 3712 */ 3713 static int 3714 cryptmodrsrv(queue_t *q) 3715 { 3716 mblk_t *mp, *bp; 3717 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3718 3719 while ((mp = getq(q)) != NULL) { 3720 switch (mp->b_datap->db_type) { 3721 case M_DATA: 3722 if (canputnext(q) && tmi->ready & CRYPT_READ_READY) { 3723 /* 3724 * Process "rcmd" messages differently because 3725 * they contain a 4 byte plaintext length 3726 * id that needs to be removed. 3727 */ 3728 if (tmi->dec_data.method != CRYPT_METHOD_NONE && 3729 (tmi->dec_data.option_mask & 3730 (CRYPTOPT_RCMD_MODE_V1 | 3731 CRYPTOPT_RCMD_MODE_V2))) { 3732 mp = decrypt_rcmd_mblks(q, mp); 3733 if (mp) 3734 putnext(q, mp); 3735 continue; 3736 } 3737 if ((bp = msgpullup(mp, -1)) != NULL) { 3738 freemsg(mp); 3739 if (MBLKL(bp) > 0) { 3740 mp = do_decrypt(q, bp); 3741 if (mp != NULL) 3742 putnext(q, mp); 3743 } 3744 } 3745 } else { 3746 if (!putbq(q, mp)) { 3747 freemsg(mp); 3748 } 3749 return (0); 3750 } 3751 break; 3752 default: 3753 /* 3754 * rput does not queue anything > QPCTL, so we don't 3755 * need to check for it here. 3756 */ 3757 if (!canputnext(q)) { 3758 if (!putbq(q, mp)) 3759 freemsg(mp); 3760 return (0); 3761 } 3762 putnext(q, mp); 3763 break; 3764 } 3765 } 3766 return (0); 3767 } 3768 3769 3770 /* 3771 * Read-side put procedure. 3772 */ 3773 static void 3774 cryptmodrput(queue_t *rq, mblk_t *mp) 3775 { 3776 switch (mp->b_datap->db_type) { 3777 case M_DATA: 3778 if (!putq(rq, mp)) { 3779 freemsg(mp); 3780 } 3781 break; 3782 case M_FLUSH: 3783 if (*mp->b_rptr & FLUSHR) { 3784 flushq(rq, FLUSHALL); 3785 } 3786 putnext(rq, mp); 3787 break; 3788 default: 3789 if (queclass(mp) < QPCTL) { 3790 if (rq->q_first != NULL || !canputnext(rq)) { 3791 if (!putq(rq, mp)) 3792 freemsg(mp); 3793 return; 3794 } 3795 } 3796 putnext(rq, mp); 3797 break; 3798 } 3799 } 3800