xref: /titanic_52/usr/src/uts/common/io/cryptmod.c (revision bdfc6d18da790deeec2e0eb09c625902defe2498)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  *
26  * STREAMS Crypto Module
27  *
28  * This module is used to facilitate Kerberos encryption
29  * operations for the telnet daemon and rlogin daemon.
30  * Because the Solaris telnet and rlogin daemons run mostly
31  * in-kernel via 'telmod' and 'rlmod', this module must be
32  * pushed on the STREAM *below* telmod or rlmod.
33  *
34  * Parts of the 3DES key derivation code are covered by the
35  * following copyright.
36  *
37  * Copyright (C) 1998 by the FundsXpress, INC.
38  *
39  * All rights reserved.
40  *
41  * Export of this software from the United States of America may require
42  * a specific license from the United States Government.  It is the
43  * responsibility of any person or organization contemplating export to
44  * obtain such a license before exporting.
45  *
46  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
47  * distribute this software and its documentation for any purpose and
48  * without fee is hereby granted, provided that the above copyright
49  * notice appear in all copies and that both that copyright notice and
50  * this permission notice appear in supporting documentation, and that
51  * the name of FundsXpress. not be used in advertising or publicity pertaining
52  * to distribution of the software without specific, written prior
53  * permission.  FundsXpress makes no representations about the suitability of
54  * this software for any purpose.  It is provided "as is" without express
55  * or implied warranty.
56  *
57  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
58  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
59  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
60  */
61 #pragma ident	"%Z%%M%	%I%	%E% SMI"
62 
63 #include <sys/types.h>
64 #include <sys/sysmacros.h>
65 #include <sys/errno.h>
66 #include <sys/debug.h>
67 #include <sys/time.h>
68 #include <sys/stropts.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/strlog.h>
72 #include <sys/cmn_err.h>
73 #include <sys/conf.h>
74 #include <sys/sunddi.h>
75 #include <sys/kmem.h>
76 #include <sys/strsun.h>
77 #include <sys/random.h>
78 #include <sys/types.h>
79 #include <sys/byteorder.h>
80 #include <sys/cryptmod.h>
81 #include <sys/crc32.h>
82 #include <sys/policy.h>
83 
84 #include <sys/crypto/api.h>
85 
86 #include <sys/strft.h>
87 /*
88  * Function prototypes.
89  */
90 static	int	cryptmodopen(queue_t *, dev_t *, int, int, cred_t *);
91 static  void	cryptmodrput(queue_t *, mblk_t *);
92 static  void	cryptmodwput(queue_t *, mblk_t *);
93 static	int	cryptmodclose(queue_t *);
94 static	int	cryptmodwsrv(queue_t *);
95 static	int	cryptmodrsrv(queue_t *);
96 
97 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp);
98 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp);
99 
100 #define	CRYPTMOD_ID 5150
101 
102 #define	CFB_BLKSZ 8
103 
104 #define	K5CLENGTH 5
105 
106 static struct module_info	cryptmod_minfo = {
107 	CRYPTMOD_ID,	/* mi_idnum */
108 	"cryptmod",	/* mi_idname */
109 	0,		/* mi_minpsz */
110 	INFPSZ,		/* mi_maxpsz */
111 	65536,		/* mi_hiwat */
112 	1024		/* mi_lowat */
113 };
114 
115 static struct qinit	cryptmod_rinit = {
116 	(int (*)())cryptmodrput,	/* qi_putp */
117 	cryptmodrsrv,	/* qi_svc */
118 	cryptmodopen,	/* qi_qopen */
119 	cryptmodclose,	/* qi_qclose */
120 	NULL,		/* qi_qadmin */
121 	&cryptmod_minfo,	/* qi_minfo */
122 	NULL		/* qi_mstat */
123 };
124 
125 static struct qinit	cryptmod_winit = {
126 	(int (*)())cryptmodwput,	/* qi_putp */
127 	cryptmodwsrv,	/* qi_srvp */
128 	NULL,		/* qi_qopen */
129 	NULL,		/* qi_qclose */
130 	NULL,		/* qi_qadmin */
131 	&cryptmod_minfo,	/* qi_minfo */
132 	NULL		/* qi_mstat */
133 };
134 
135 static struct streamtab	cryptmod_info = {
136 	&cryptmod_rinit,	/* st_rdinit */
137 	&cryptmod_winit,	/* st_wrinit */
138 	NULL,	/* st_muxrinit */
139 	NULL	/* st_muxwinit */
140 };
141 
142 typedef struct {
143 	uint_t hash_len;
144 	uint_t confound_len;
145 	int (*hashfunc)();
146 } hash_info_t;
147 
148 #define	MAX_CKSUM_LEN 20
149 #define	CONFOUNDER_LEN 8
150 
151 #define	SHA1_HASHSIZE 20
152 #define	MD5_HASHSIZE 16
153 #define	CRC32_HASHSIZE 4
154 
155 static int crc32_calc(uchar_t *, uchar_t *, uint_t);
156 static int md5_calc(uchar_t *, uchar_t *, uint_t);
157 static int sha1_calc(uchar_t *, uchar_t *, uint_t);
158 
159 static hash_info_t null_hash = {0, 0, NULL};
160 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc};
161 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc};
162 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc};
163 
164 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID;
165 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID;
166 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID;
167 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID;
168 
169 static int kef_crypt(struct cipher_data_t *, void *,
170 		    crypto_data_format_t, size_t, int);
171 static mblk_t *
172 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *,
173 		mblk_t *, hash_info_t *);
174 static mblk_t *
175 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *,
176 		mblk_t *, hash_info_t *);
177 
178 static int
179 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int);
180 
181 /*
182  * This is the loadable module wrapper.
183  */
184 #include <sys/modctl.h>
185 
186 static struct fmodsw fsw = {
187 	"cryptmod",
188 	&cryptmod_info,
189 	D_MP | D_MTQPAIR
190 };
191 
192 /*
193  * Module linkage information for the kernel.
194  */
195 static struct modlstrmod modlstrmod = {
196 	&mod_strmodops,
197 	"STREAMS encryption module %I%",
198 	&fsw
199 };
200 
201 static struct modlinkage modlinkage = {
202 	MODREV_1,
203 	&modlstrmod,
204 	NULL
205 };
206 
207 int
208 _init(void)
209 {
210 	return (mod_install(&modlinkage));
211 }
212 
213 int
214 _fini(void)
215 {
216 	return (mod_remove(&modlinkage));
217 }
218 
219 int
220 _info(struct modinfo *modinfop)
221 {
222 	return (mod_info(&modlinkage, modinfop));
223 }
224 
225 static void
226 cleanup(struct cipher_data_t *cd)
227 {
228 	if (cd->key != NULL) {
229 		bzero(cd->key, cd->keylen);
230 		kmem_free(cd->key, cd->keylen);
231 		cd->key = NULL;
232 	}
233 
234 	if (cd->ckey != NULL) {
235 		/*
236 		 * ckey is a crypto_key_t structure which references
237 		 * "cd->key" for its raw key data.  Since that was already
238 		 * cleared out, we don't need another "bzero" here.
239 		 */
240 		kmem_free(cd->ckey, sizeof (crypto_key_t));
241 		cd->ckey = NULL;
242 	}
243 
244 	if (cd->block != NULL) {
245 		kmem_free(cd->block, cd->blocklen);
246 		cd->block = NULL;
247 	}
248 
249 	if (cd->saveblock != NULL) {
250 		kmem_free(cd->saveblock, cd->blocklen);
251 		cd->saveblock = NULL;
252 	}
253 
254 	if (cd->ivec != NULL) {
255 		kmem_free(cd->ivec, cd->ivlen);
256 		cd->ivec = NULL;
257 	}
258 
259 	if (cd->d_encr_key.ck_data != NULL) {
260 		bzero(cd->d_encr_key.ck_data, cd->keylen);
261 		kmem_free(cd->d_encr_key.ck_data, cd->keylen);
262 	}
263 
264 	if (cd->d_hmac_key.ck_data != NULL) {
265 		bzero(cd->d_hmac_key.ck_data, cd->keylen);
266 		kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
267 	}
268 
269 	if (cd->enc_tmpl != NULL)
270 		(void) crypto_destroy_ctx_template(cd->enc_tmpl);
271 
272 	if (cd->hmac_tmpl != NULL)
273 		(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
274 
275 	if (cd->ctx != NULL) {
276 		crypto_cancel_ctx(cd->ctx);
277 		cd->ctx = NULL;
278 	}
279 }
280 
281 /* ARGSUSED */
282 static int
283 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp)
284 {
285 	struct tmodinfo	*tmi;
286 	ASSERT(rq);
287 
288 	if (sflag != MODOPEN)
289 		return (EINVAL);
290 
291 	(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
292 			"cryptmodopen: opening module(PID %d)",
293 			ddi_get_pid()));
294 
295 	if (rq->q_ptr != NULL) {
296 		cmn_err(CE_WARN, "cryptmodopen: already opened");
297 		return (0);
298 	}
299 
300 	/*
301 	 * Allocate and initialize per-Stream structure.
302 	 */
303 	tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo),
304 						KM_SLEEP);
305 
306 	tmi->enc_data.method = CRYPT_METHOD_NONE;
307 	tmi->dec_data.method = CRYPT_METHOD_NONE;
308 
309 	tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY);
310 
311 	rq->q_ptr = WR(rq)->q_ptr = tmi;
312 
313 	sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC);
314 	md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC);
315 	sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1);
316 	md5_hash_mech = crypto_mech2id(SUN_CKM_MD5);
317 
318 	qprocson(rq);
319 
320 	return (0);
321 }
322 
323 static int
324 cryptmodclose(queue_t *rq)
325 {
326 	struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr;
327 	ASSERT(tmi);
328 
329 	qprocsoff(rq);
330 
331 	cleanup(&tmi->enc_data);
332 	cleanup(&tmi->dec_data);
333 
334 	kmem_free(tmi, sizeof (struct tmodinfo));
335 	rq->q_ptr = WR(rq)->q_ptr = NULL;
336 
337 	return (0);
338 }
339 
340 /*
341  * plaintext_offset
342  *
343  * Calculate exactly how much space is needed in front
344  * of the "plaintext" in an mbuf so it can be positioned
345  * 1 time instead of potentially moving the data multiple
346  * times.
347  */
348 static int
349 plaintext_offset(struct cipher_data_t *cd)
350 {
351 	int headspace = 0;
352 
353 	/* 4 byte length prepended to all RCMD msgs */
354 	if (ANY_RCMD_MODE(cd->option_mask))
355 		headspace += RCMD_LEN_SZ;
356 
357 	/* RCMD V2 mode adds an additional 4 byte plaintext length */
358 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2)
359 		headspace += RCMD_LEN_SZ;
360 
361 	/* Need extra space for hash and counfounder */
362 	switch (cd->method) {
363 	case CRYPT_METHOD_DES_CBC_NULL:
364 		headspace += null_hash.hash_len + null_hash.confound_len;
365 		break;
366 	case CRYPT_METHOD_DES_CBC_CRC:
367 		headspace += crc32_hash.hash_len + crc32_hash.confound_len;
368 		break;
369 	case CRYPT_METHOD_DES_CBC_MD5:
370 		headspace += md5_hash.hash_len + md5_hash.confound_len;
371 		break;
372 	case CRYPT_METHOD_DES3_CBC_SHA1:
373 		headspace += sha1_hash.confound_len;
374 		break;
375 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
376 		headspace += md5_hash.hash_len + md5_hash.confound_len;
377 		break;
378 	case CRYPT_METHOD_AES128:
379 	case CRYPT_METHOD_AES256:
380 		headspace += DEFAULT_AES_BLOCKLEN;
381 		break;
382 	case CRYPT_METHOD_DES_CFB:
383 	case CRYPT_METHOD_NONE:
384 		break;
385 	}
386 
387 	return (headspace);
388 }
389 /*
390  * encrypt_size
391  *
392  * Calculate the resulting size when encrypting 'plainlen' bytes
393  * of data.
394  */
395 static size_t
396 encrypt_size(struct cipher_data_t *cd, size_t plainlen)
397 {
398 	size_t cipherlen;
399 
400 	switch (cd->method) {
401 	case CRYPT_METHOD_DES_CBC_NULL:
402 		cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len +
403 					    plainlen, 8);
404 		break;
405 	case CRYPT_METHOD_DES_CBC_MD5:
406 		cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len +
407 					    md5_hash.confound_len +
408 					    plainlen, 8);
409 		break;
410 	case CRYPT_METHOD_DES_CBC_CRC:
411 		cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len +
412 					    crc32_hash.confound_len +
413 					    plainlen, 8);
414 		break;
415 	case CRYPT_METHOD_DES3_CBC_SHA1:
416 		cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len +
417 					    plainlen, 8) +
418 					    sha1_hash.hash_len;
419 		break;
420 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
421 		cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len +
422 				plainlen, 1) + md5_hash.hash_len;
423 		break;
424 	case CRYPT_METHOD_AES128:
425 	case CRYPT_METHOD_AES256:
426 		/* No roundup for AES-CBC-CTS */
427 		cipherlen = DEFAULT_AES_BLOCKLEN + plainlen +
428 			AES_TRUNCATED_HMAC_LEN;
429 		break;
430 	case CRYPT_METHOD_DES_CFB:
431 	case CRYPT_METHOD_NONE:
432 		cipherlen = plainlen;
433 		break;
434 	}
435 
436 	return (cipherlen);
437 }
438 
439 /*
440  * des_cfb_encrypt
441  *
442  * Encrypt the mblk data using DES with cipher feedback.
443  *
444  * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
445  * vector, D[n] is the nth chunk of 64 bits of data to encrypt
446  * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
447  * (decrypted) data, then:
448  *
449  *  V[0] = DES(V[i], key)
450  *  O[n] = D[n] <exclusive or > V[n]
451  *  V[n+1] = DES(O[n], key)
452  *
453  * The size of the message being encrypted does not change in this
454  * algorithm, num_bytes in == num_bytes out.
455  */
456 static mblk_t *
457 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
458 {
459 	int savedbytes;
460 	char *iptr, *optr, *lastoutput;
461 
462 	lastoutput = optr = (char *)mp->b_rptr;
463 	iptr = (char *)mp->b_rptr;
464 	savedbytes = tmi->enc_data.bytes % CFB_BLKSZ;
465 
466 	while (iptr < (char *)mp->b_wptr) {
467 		/*
468 		 * Do DES-ECB.
469 		 * The first time this runs, the 'tmi->enc_data.block' will
470 		 * contain the initialization vector that should have been
471 		 * passed in with the SETUP ioctl.
472 		 *
473 		 * V[n] = DES(V[n-1], key)
474 		 */
475 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
476 			int retval = 0;
477 			retval = kef_crypt(&tmi->enc_data,
478 					tmi->enc_data.block,
479 					CRYPTO_DATA_RAW,
480 					tmi->enc_data.blocklen,
481 					CRYPT_ENCRYPT);
482 
483 			if (retval != CRYPTO_SUCCESS) {
484 #ifdef DEBUG
485 				cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt "
486 					"failed - error 0x%0x", retval);
487 #endif
488 				mp->b_datap->db_type = M_ERROR;
489 				mp->b_rptr = mp->b_datap->db_base;
490 				*mp->b_rptr = EIO;
491 				mp->b_wptr = mp->b_rptr + sizeof (char);
492 				freemsg(mp->b_cont);
493 				mp->b_cont = NULL;
494 				qreply(WR(q), mp);
495 				return (NULL);
496 			}
497 		}
498 
499 		/* O[n] = I[n] ^ V[n] */
500 		*(optr++) = *(iptr++) ^
501 		    tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ];
502 
503 		tmi->enc_data.bytes++;
504 		/*
505 		 * Feedback the encrypted output as the input to next DES call.
506 		 */
507 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
508 			char *dbptr = tmi->enc_data.block;
509 			/*
510 			 * Get the last bits of input from the previous
511 			 * msg block that we haven't yet used as feedback input.
512 			 */
513 			if (savedbytes > 0) {
514 				bcopy(tmi->enc_data.saveblock,
515 				    dbptr, (size_t)savedbytes);
516 				dbptr += savedbytes;
517 			}
518 
519 			/*
520 			 * Now copy the correct bytes from the current input
521 			 * stream and update the 'lastoutput' ptr
522 			 */
523 			bcopy(lastoutput, dbptr,
524 				(size_t)(CFB_BLKSZ - savedbytes));
525 
526 			lastoutput += (CFB_BLKSZ - savedbytes);
527 			savedbytes = 0;
528 		}
529 	}
530 	/*
531 	 * If there are bytes of input here that we need in the next
532 	 * block to build an ivec, save them off here.
533 	 */
534 	if (lastoutput < optr) {
535 		bcopy(lastoutput,
536 		    tmi->enc_data.saveblock + savedbytes,
537 		    (uint_t)(optr - lastoutput));
538 	}
539 	return (mp);
540 }
541 
542 /*
543  * des_cfb_decrypt
544  *
545  * Decrypt the data in the mblk using DES in Cipher Feedback mode
546  *
547  * # bytes in == # bytes out, no padding, confounding, or hashing
548  * is added.
549  *
550  */
551 static mblk_t *
552 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
553 {
554 	uint_t len;
555 	uint_t savedbytes;
556 	char *iptr;
557 	char *lastinput;
558 	uint_t cp;
559 
560 	len = MBLKL(mp);
561 
562 	/* decrypted output goes into the new data buffer */
563 	lastinput = iptr = (char *)mp->b_rptr;
564 
565 	savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen;
566 
567 	/*
568 	 * Save the input CFB_BLKSZ bytes at a time.
569 	 * We are trying to decrypt in-place, but need to keep
570 	 * a small sliding window of encrypted text to be
571 	 * used to construct the feedback buffer.
572 	 */
573 	cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len :
574 		tmi->dec_data.blocklen - savedbytes);
575 
576 	bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp);
577 	savedbytes += cp;
578 
579 	lastinput += cp;
580 
581 	while (iptr < (char *)mp->b_wptr) {
582 		/*
583 		 * Do DES-ECB.
584 		 * The first time this runs, the 'tmi->dec_data.block' will
585 		 * contain the initialization vector that should have been
586 		 * passed in with the SETUP ioctl.
587 		 */
588 		if (!(tmi->dec_data.bytes % CFB_BLKSZ)) {
589 			int retval;
590 			retval = kef_crypt(&tmi->dec_data,
591 					tmi->dec_data.block,
592 					CRYPTO_DATA_RAW,
593 					tmi->dec_data.blocklen,
594 					CRYPT_ENCRYPT);
595 
596 			if (retval != CRYPTO_SUCCESS) {
597 #ifdef DEBUG
598 				cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt "
599 					"failed - status 0x%0x", retval);
600 #endif
601 				mp->b_datap->db_type = M_ERROR;
602 				mp->b_rptr = mp->b_datap->db_base;
603 				*mp->b_rptr = EIO;
604 				mp->b_wptr = mp->b_rptr + sizeof (char);
605 				freemsg(mp->b_cont);
606 				mp->b_cont = NULL;
607 				qreply(WR(q), mp);
608 				return (NULL);
609 			}
610 		}
611 
612 		/*
613 		 * To decrypt, XOR the input with the output from the DES call
614 		 */
615 		*(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes %
616 				CFB_BLKSZ];
617 
618 		tmi->dec_data.bytes++;
619 
620 		/*
621 		 * Feedback the encrypted input for next DES call.
622 		 */
623 		if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) {
624 			char *dbptr = tmi->dec_data.block;
625 			/*
626 			 * Get the last bits of input from the previous block
627 			 * that we haven't yet processed.
628 			 */
629 			if (savedbytes > 0) {
630 				bcopy(tmi->dec_data.saveblock,
631 				    dbptr, savedbytes);
632 				dbptr += savedbytes;
633 			}
634 
635 			savedbytes = 0;
636 
637 			/*
638 			 * This block makes sure that our local
639 			 * buffer of input data is full and can
640 			 * be accessed from the beginning.
641 			 */
642 			if (lastinput < (char *)mp->b_wptr) {
643 
644 				/* How many bytes are left in the mblk? */
645 				cp = (((char *)mp->b_wptr - lastinput) >
646 					tmi->dec_data.blocklen ?
647 					tmi->dec_data.blocklen :
648 					(char *)mp->b_wptr - lastinput);
649 
650 				/* copy what we need */
651 				bcopy(lastinput, tmi->dec_data.saveblock,
652 					cp);
653 
654 				lastinput += cp;
655 				savedbytes = cp;
656 			}
657 		}
658 	}
659 
660 	return (mp);
661 }
662 
663 /*
664  * crc32_calc
665  *
666  * Compute a CRC32 checksum on the input
667  */
668 static int
669 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len)
670 {
671 	uint32_t crc;
672 
673 	CRC32(crc, input, len, 0, crc32_table);
674 
675 	buf[0] = (uchar_t)(crc & 0xff);
676 	buf[1] = (uchar_t)((crc >> 8) & 0xff);
677 	buf[2] = (uchar_t)((crc >> 16) & 0xff);
678 	buf[3] = (uchar_t)((crc >> 24) & 0xff);
679 
680 	return (CRYPTO_SUCCESS);
681 }
682 
683 static int
684 kef_digest(crypto_mech_type_t digest_type,
685 	uchar_t *input, uint_t inlen,
686 	uchar_t *output, uint_t hashlen)
687 {
688 	iovec_t v1, v2;
689 	crypto_data_t d1, d2;
690 	crypto_mechanism_t mech;
691 	int rv;
692 
693 	mech.cm_type = digest_type;
694 	mech.cm_param = 0;
695 	mech.cm_param_len = 0;
696 
697 	v1.iov_base = (void *)input;
698 	v1.iov_len = inlen;
699 
700 	d1.cd_format = CRYPTO_DATA_RAW;
701 	d1.cd_offset = 0;
702 	d1.cd_length = v1.iov_len;
703 	d1.cd_raw = v1;
704 
705 	v2.iov_base = (void *)output;
706 	v2.iov_len = hashlen;
707 
708 	d2.cd_format = CRYPTO_DATA_RAW;
709 	d2.cd_offset = 0;
710 	d2.cd_length = v2.iov_len;
711 	d2.cd_raw = v2;
712 
713 	rv = crypto_digest(&mech, &d1, &d2, NULL);
714 
715 	return (rv);
716 }
717 
718 /*
719  * sha1_calc
720  *
721  * Get a SHA1 hash on the input data.
722  */
723 static int
724 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen)
725 {
726 	int rv;
727 
728 	rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE);
729 
730 	return (rv);
731 }
732 
733 /*
734  * Get an MD5 hash on the input data.
735  * md5_calc
736  *
737  */
738 static int
739 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen)
740 {
741 	int rv;
742 
743 	rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE);
744 
745 	return (rv);
746 }
747 
748 /*
749  * nfold
750  * duplicate the functionality of the krb5_nfold function from
751  * the userland kerberos mech.
752  * This is needed to derive keys for use with 3DES/SHA1-HMAC
753  * ciphers.
754  */
755 static void
756 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out)
757 {
758 	int a, b, c, lcm;
759 	int byte, i, msbit;
760 
761 	inbits >>= 3;
762 	outbits >>= 3;
763 
764 	/* first compute lcm(n,k) */
765 	a = outbits;
766 	b = inbits;
767 
768 	while (b != 0) {
769 		c = b;
770 		b = a%b;
771 		a = c;
772 	}
773 
774 	lcm = outbits*inbits/a;
775 
776 	/* now do the real work */
777 
778 	bzero(out, outbits);
779 	byte = 0;
780 
781 	/*
782 	 * Compute the msbit in k which gets added into this byte
783 	 * first, start with the msbit in the first, unrotated byte
784 	 * then, for each byte, shift to the right for each repetition
785 	 * last, pick out the correct byte within that shifted repetition
786 	 */
787 	for (i = lcm-1; i >= 0; i--) {
788 		msbit = (((inbits<<3)-1)
789 			+(((inbits<<3)+13)*(i/inbits))
790 			+((inbits-(i%inbits))<<3)) %(inbits<<3);
791 
792 		/* pull out the byte value itself */
793 		byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)|
794 			(in[((inbits)-(msbit>>3))%inbits]))
795 			>>((msbit&7)+1))&0xff;
796 
797 		/* do the addition */
798 		byte += out[i%outbits];
799 		out[i%outbits] = byte&0xff;
800 
801 		byte >>= 8;
802 	}
803 
804 	/* if there's a carry bit left over, add it back in */
805 	if (byte) {
806 		for (i = outbits-1; i >= 0; i--) {
807 			/* do the addition */
808 			byte += out[i];
809 			out[i] = byte&0xff;
810 
811 			/* keep around the carry bit, if any */
812 			byte >>= 8;
813 		}
814 	}
815 }
816 
817 #define	smask(step) ((1<<step)-1)
818 #define	pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
819 #define	parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
820 
821 /*
822  * Duplicate the functionality of the "dk_derive_key" function
823  * in the Kerberos mechanism.
824  */
825 static int
826 derive_key(struct cipher_data_t *cdata, uchar_t *constdata,
827 	int constlen, char *dkey, int keybytes,
828 	int blocklen)
829 {
830 	int rv = 0;
831 	int n = 0, i;
832 	char *inblock;
833 	char *rawkey;
834 	char *zeroblock;
835 	char *saveblock;
836 
837 	inblock = kmem_zalloc(blocklen, KM_SLEEP);
838 	rawkey = kmem_zalloc(keybytes, KM_SLEEP);
839 	zeroblock = kmem_zalloc(blocklen, KM_SLEEP);
840 
841 	if (constlen == blocklen)
842 		bcopy(constdata, inblock, blocklen);
843 	else
844 		nfold(constlen * 8, constdata,
845 			blocklen * 8, (uchar_t *)inblock);
846 
847 	/*
848 	 * zeroblock is an IV of all 0's.
849 	 *
850 	 * The "block" section of the cdata record is used as the
851 	 * IV for crypto operations in the kef_crypt function.
852 	 *
853 	 * We use 'block' as a generic IV data buffer because it
854 	 * is attached to the stream state data and thus can
855 	 * be used to hold information that must carry over
856 	 * from processing of one mblk to another.
857 	 *
858 	 * Here, we save the current IV and replace it with
859 	 * and empty IV (all 0's) for use when deriving the
860 	 * keys.  Once the key derivation is done, we swap the
861 	 * old IV back into place.
862 	 */
863 	saveblock = cdata->block;
864 	cdata->block = zeroblock;
865 
866 	while (n < keybytes) {
867 		rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW,
868 				blocklen, CRYPT_ENCRYPT);
869 		if (rv != CRYPTO_SUCCESS) {
870 			/* put the original IV block back in place */
871 			cdata->block = saveblock;
872 			cmn_err(CE_WARN, "failed to derive a key: %0x", rv);
873 			goto cleanup;
874 		}
875 
876 		if (keybytes - n < blocklen) {
877 			bcopy(inblock, rawkey+n, (keybytes-n));
878 			break;
879 		}
880 		bcopy(inblock, rawkey+n, blocklen);
881 		n += blocklen;
882 	}
883 	/* put the original IV block back in place */
884 	cdata->block = saveblock;
885 
886 	/* finally, make the key */
887 	if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) {
888 		/*
889 		 * 3DES key derivation requires that we make sure the
890 		 * key has the proper parity.
891 		 */
892 		for (i = 0; i < 3; i++) {
893 			bcopy(rawkey+(i*7), dkey+(i*8), 7);
894 
895 			/* 'dkey' is our derived key output buffer */
896 			dkey[i*8+7] = (((dkey[i*8]&1)<<1) |
897 					((dkey[i*8+1]&1)<<2) |
898 					((dkey[i*8+2]&1)<<3) |
899 					((dkey[i*8+3]&1)<<4) |
900 					((dkey[i*8+4]&1)<<5) |
901 					((dkey[i*8+5]&1)<<6) |
902 					((dkey[i*8+6]&1)<<7));
903 
904 			for (n = 0; n < 8; n++) {
905 				dkey[i*8 + n] &=  0xfe;
906 				dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]);
907 			}
908 		}
909 	} else if (IS_AES_METHOD(cdata->method)) {
910 		bcopy(rawkey, dkey, keybytes);
911 	}
912 cleanup:
913 	kmem_free(inblock, blocklen);
914 	kmem_free(zeroblock, blocklen);
915 	kmem_free(rawkey, keybytes);
916 	return (rv);
917 }
918 
919 /*
920  * create_derived_keys
921  *
922  * Algorithm for deriving a new key and an HMAC key
923  * before computing the 3DES-SHA1-HMAC operation on the plaintext
924  * This algorithm matches the work done by Kerberos mechanism
925  * in userland.
926  */
927 static int
928 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage,
929 		crypto_key_t *enckey, crypto_key_t *hmackey)
930 {
931 	uchar_t constdata[K5CLENGTH];
932 	int keybytes;
933 	int rv;
934 
935 	constdata[0] = (usage>>24)&0xff;
936 	constdata[1] = (usage>>16)&0xff;
937 	constdata[2] = (usage>>8)&0xff;
938 	constdata[3] = usage & 0xff;
939 	/* Use "0xAA" for deriving encryption key */
940 	constdata[4] = 0xAA; /* from MIT Kerberos code */
941 
942 	enckey->ck_length = cdata->keylen * 8;
943 	enckey->ck_format = CRYPTO_KEY_RAW;
944 	enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
945 
946 	switch (cdata->method) {
947 		case CRYPT_METHOD_DES_CFB:
948 		case CRYPT_METHOD_DES_CBC_NULL:
949 		case CRYPT_METHOD_DES_CBC_MD5:
950 		case CRYPT_METHOD_DES_CBC_CRC:
951 			keybytes = 8;
952 			break;
953 		case CRYPT_METHOD_DES3_CBC_SHA1:
954 			keybytes = CRYPT_DES3_KEYBYTES;
955 			break;
956 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
957 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
958 			keybytes = CRYPT_ARCFOUR_KEYBYTES;
959 			break;
960 		case CRYPT_METHOD_AES128:
961 			keybytes = CRYPT_AES128_KEYBYTES;
962 			break;
963 		case CRYPT_METHOD_AES256:
964 			keybytes = CRYPT_AES256_KEYBYTES;
965 			break;
966 	}
967 
968 	/* derive main crypto key */
969 	rv = derive_key(cdata, constdata, sizeof (constdata),
970 		enckey->ck_data, keybytes, cdata->blocklen);
971 
972 	if (rv == CRYPTO_SUCCESS) {
973 
974 		/* Use "0x55" for deriving mac key */
975 		constdata[4] = 0x55;
976 
977 		hmackey->ck_length = cdata->keylen * 8;
978 		hmackey->ck_format = CRYPTO_KEY_RAW;
979 		hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
980 
981 		rv = derive_key(cdata, constdata, sizeof (constdata),
982 				hmackey->ck_data, keybytes,
983 				cdata->blocklen);
984 	} else {
985 		cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv);
986 	}
987 
988 	return (rv);
989 }
990 
991 /*
992  * Compute 3-DES crypto and HMAC.
993  */
994 static int
995 kef_decr_hmac(struct cipher_data_t *cdata,
996 	mblk_t *mp, int length,
997 	char *hmac, int hmaclen)
998 {
999 	int rv = CRYPTO_FAILED;
1000 
1001 	crypto_mechanism_t encr_mech;
1002 	crypto_mechanism_t mac_mech;
1003 	crypto_data_t dd;
1004 	crypto_data_t mac;
1005 	iovec_t v1;
1006 
1007 	ASSERT(cdata != NULL);
1008 	ASSERT(mp != NULL);
1009 	ASSERT(hmac != NULL);
1010 
1011 	bzero(&dd, sizeof (dd));
1012 	dd.cd_format = CRYPTO_DATA_MBLK;
1013 	dd.cd_offset = 0;
1014 	dd.cd_length = length;
1015 	dd.cd_mp = mp;
1016 
1017 	v1.iov_base = hmac;
1018 	v1.iov_len = hmaclen;
1019 
1020 	mac.cd_format = CRYPTO_DATA_RAW;
1021 	mac.cd_offset = 0;
1022 	mac.cd_length = hmaclen;
1023 	mac.cd_raw = v1;
1024 
1025 	/*
1026 	 * cdata->block holds the IVEC
1027 	 */
1028 	encr_mech.cm_type = cdata->mech_type;
1029 	encr_mech.cm_param = cdata->block;
1030 
1031 	if (cdata->block != NULL)
1032 		encr_mech.cm_param_len = cdata->blocklen;
1033 	else
1034 		encr_mech.cm_param_len = 0;
1035 
1036 	rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key,
1037 			cdata->enc_tmpl, NULL, NULL);
1038 	if (rv != CRYPTO_SUCCESS) {
1039 		cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv);
1040 		return (rv);
1041 	}
1042 
1043 	mac_mech.cm_type = sha1_hmac_mech;
1044 	mac_mech.cm_param = NULL;
1045 	mac_mech.cm_param_len = 0;
1046 
1047 	/*
1048 	 * Compute MAC of the plaintext decrypted above.
1049 	 */
1050 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1051 			cdata->hmac_tmpl, &mac, NULL);
1052 
1053 	if (rv != CRYPTO_SUCCESS) {
1054 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1055 	}
1056 
1057 	return (rv);
1058 }
1059 
1060 /*
1061  * Compute 3-DES crypto and HMAC.
1062  */
1063 static int
1064 kef_encr_hmac(struct cipher_data_t *cdata,
1065 	mblk_t *mp, int length,
1066 	char *hmac, int hmaclen)
1067 {
1068 	int rv = CRYPTO_FAILED;
1069 
1070 	crypto_mechanism_t encr_mech;
1071 	crypto_mechanism_t mac_mech;
1072 	crypto_data_t dd;
1073 	crypto_data_t mac;
1074 	iovec_t v1;
1075 
1076 	ASSERT(cdata != NULL);
1077 	ASSERT(mp != NULL);
1078 	ASSERT(hmac != NULL);
1079 
1080 	bzero(&dd, sizeof (dd));
1081 	dd.cd_format = CRYPTO_DATA_MBLK;
1082 	dd.cd_offset = 0;
1083 	dd.cd_length = length;
1084 	dd.cd_mp = mp;
1085 
1086 	v1.iov_base = hmac;
1087 	v1.iov_len = hmaclen;
1088 
1089 	mac.cd_format = CRYPTO_DATA_RAW;
1090 	mac.cd_offset = 0;
1091 	mac.cd_length = hmaclen;
1092 	mac.cd_raw = v1;
1093 
1094 	/*
1095 	 * cdata->block holds the IVEC
1096 	 */
1097 	encr_mech.cm_type = cdata->mech_type;
1098 	encr_mech.cm_param = cdata->block;
1099 
1100 	if (cdata->block != NULL)
1101 		encr_mech.cm_param_len = cdata->blocklen;
1102 	else
1103 		encr_mech.cm_param_len = 0;
1104 
1105 	mac_mech.cm_type = sha1_hmac_mech;
1106 	mac_mech.cm_param = NULL;
1107 	mac_mech.cm_param_len = 0;
1108 
1109 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1110 			cdata->hmac_tmpl, &mac, NULL);
1111 
1112 	if (rv != CRYPTO_SUCCESS) {
1113 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1114 		return (rv);
1115 	}
1116 
1117 	rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key,
1118 			cdata->enc_tmpl, NULL, NULL);
1119 	if (rv != CRYPTO_SUCCESS) {
1120 		cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv);
1121 	}
1122 
1123 	return (rv);
1124 }
1125 
1126 /*
1127  * kef_crypt
1128  *
1129  * Use the Kernel encryption framework to provide the
1130  * crypto operations for the indicated data.
1131  */
1132 static int
1133 kef_crypt(struct cipher_data_t *cdata,
1134 	void *indata, crypto_data_format_t fmt,
1135 	size_t length, int mode)
1136 {
1137 	int rv = CRYPTO_FAILED;
1138 
1139 	crypto_mechanism_t mech;
1140 	crypto_key_t crkey;
1141 	iovec_t v1;
1142 	crypto_data_t d1;
1143 
1144 	ASSERT(cdata != NULL);
1145 	ASSERT(indata != NULL);
1146 	ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK);
1147 
1148 	bzero(&crkey, sizeof (crkey));
1149 	bzero(&d1, sizeof (d1));
1150 
1151 	crkey.ck_format = CRYPTO_KEY_RAW;
1152 	crkey.ck_data =  cdata->key;
1153 
1154 	/* keys are measured in bits, not bytes, so multiply by 8 */
1155 	crkey.ck_length = cdata->keylen * 8;
1156 
1157 	if (fmt == CRYPTO_DATA_RAW) {
1158 		v1.iov_base = (char *)indata;
1159 		v1.iov_len = length;
1160 	}
1161 
1162 	d1.cd_format = fmt;
1163 	d1.cd_offset = 0;
1164 	d1.cd_length = length;
1165 	if (fmt == CRYPTO_DATA_RAW)
1166 		d1.cd_raw = v1;
1167 	else if (fmt == CRYPTO_DATA_MBLK)
1168 		d1.cd_mp = (mblk_t *)indata;
1169 
1170 	mech.cm_type = cdata->mech_type;
1171 	mech.cm_param = cdata->block;
1172 	/*
1173 	 * cdata->block holds the IVEC
1174 	 */
1175 	if (cdata->block != NULL)
1176 		mech.cm_param_len = cdata->blocklen;
1177 	else
1178 		mech.cm_param_len = 0;
1179 
1180 	/*
1181 	 * encrypt and decrypt in-place
1182 	 */
1183 	if (mode == CRYPT_ENCRYPT)
1184 		rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1185 	else
1186 		rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1187 
1188 	if (rv != CRYPTO_SUCCESS) {
1189 		cmn_err(CE_WARN, "%s returned error %08x",
1190 			(mode == CRYPT_ENCRYPT ? "crypto_encrypt" :
1191 				"crypto_decrypt"), rv);
1192 		return (CRYPTO_FAILED);
1193 	}
1194 
1195 	return (rv);
1196 }
1197 
1198 static int
1199 do_hmac(crypto_mech_type_t mech,
1200 	crypto_key_t *key,
1201 	char *data, int datalen,
1202 	char *hmac, int hmaclen)
1203 {
1204 	int rv = 0;
1205 	crypto_mechanism_t mac_mech;
1206 	crypto_data_t dd;
1207 	crypto_data_t mac;
1208 	iovec_t vdata, vmac;
1209 
1210 	mac_mech.cm_type = mech;
1211 	mac_mech.cm_param = NULL;
1212 	mac_mech.cm_param_len = 0;
1213 
1214 	vdata.iov_base = data;
1215 	vdata.iov_len = datalen;
1216 
1217 	bzero(&dd, sizeof (dd));
1218 	dd.cd_format = CRYPTO_DATA_RAW;
1219 	dd.cd_offset = 0;
1220 	dd.cd_length = datalen;
1221 	dd.cd_raw = vdata;
1222 
1223 	vmac.iov_base = hmac;
1224 	vmac.iov_len = hmaclen;
1225 
1226 	mac.cd_format = CRYPTO_DATA_RAW;
1227 	mac.cd_offset = 0;
1228 	mac.cd_length = hmaclen;
1229 	mac.cd_raw = vmac;
1230 
1231 	/*
1232 	 * Compute MAC of the plaintext decrypted above.
1233 	 */
1234 	rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL);
1235 
1236 	if (rv != CRYPTO_SUCCESS) {
1237 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1238 	}
1239 
1240 	return (rv);
1241 }
1242 
1243 #define	XOR_BLOCK(src, dst) \
1244 	(dst)[0] ^= (src)[0]; \
1245 	(dst)[1] ^= (src)[1]; \
1246 	(dst)[2] ^= (src)[2]; \
1247 	(dst)[3] ^= (src)[3]; \
1248 	(dst)[4] ^= (src)[4]; \
1249 	(dst)[5] ^= (src)[5]; \
1250 	(dst)[6] ^= (src)[6]; \
1251 	(dst)[7] ^= (src)[7]; \
1252 	(dst)[8] ^= (src)[8]; \
1253 	(dst)[9] ^= (src)[9]; \
1254 	(dst)[10] ^= (src)[10]; \
1255 	(dst)[11] ^= (src)[11]; \
1256 	(dst)[12] ^= (src)[12]; \
1257 	(dst)[13] ^= (src)[13]; \
1258 	(dst)[14] ^= (src)[14]; \
1259 	(dst)[15] ^= (src)[15]
1260 
1261 #define	xorblock(x, y) XOR_BLOCK(y, x)
1262 
1263 static int
1264 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length)
1265 {
1266 	int result = CRYPTO_SUCCESS;
1267 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1268 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1269 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1270 	int nblocks = 0, blockno;
1271 	crypto_data_t ct, pt;
1272 	crypto_mechanism_t mech;
1273 
1274 	mech.cm_type = tmi->enc_data.mech_type;
1275 	if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) {
1276 		bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1277 		mech.cm_param = tmi->enc_data.ivec;
1278 		mech.cm_param_len = tmi->enc_data.ivlen;
1279 	} else {
1280 		bzero(tmp, sizeof (tmp));
1281 		mech.cm_param = NULL;
1282 		mech.cm_param_len = 0;
1283 	}
1284 
1285 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1286 
1287 	bzero(&ct, sizeof (crypto_data_t));
1288 	bzero(&pt, sizeof (crypto_data_t));
1289 
1290 	if (nblocks == 1) {
1291 		pt.cd_format = CRYPTO_DATA_RAW;
1292 		pt.cd_length = length;
1293 		pt.cd_raw.iov_base = (char *)plain;
1294 		pt.cd_raw.iov_len = length;
1295 
1296 		result = crypto_encrypt(&mech, &pt,
1297 			&tmi->enc_data.d_encr_key, NULL, NULL, NULL);
1298 
1299 		if (result != CRYPTO_SUCCESS) {
1300 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1301 				"crypto_encrypt failed: %0x", result);
1302 		}
1303 	} else {
1304 		size_t nleft;
1305 
1306 		ct.cd_format = CRYPTO_DATA_RAW;
1307 		ct.cd_offset = 0;
1308 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1309 
1310 		pt.cd_format = CRYPTO_DATA_RAW;
1311 		pt.cd_offset = 0;
1312 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1313 
1314 		result = crypto_encrypt_init(&mech,
1315 				&tmi->enc_data.d_encr_key,
1316 				tmi->enc_data.enc_tmpl,
1317 				&tmi->enc_data.ctx, NULL);
1318 
1319 		if (result != CRYPTO_SUCCESS) {
1320 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1321 				"crypto_encrypt_init failed: %0x", result);
1322 			goto cleanup;
1323 		}
1324 
1325 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1326 			xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN);
1327 
1328 			pt.cd_raw.iov_base = (char *)tmp;
1329 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1330 
1331 			ct.cd_raw.iov_base = (char *)plain +
1332 				blockno * DEFAULT_AES_BLOCKLEN;
1333 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1334 
1335 			result = crypto_encrypt_update(tmi->enc_data.ctx,
1336 					&pt, &ct, NULL);
1337 
1338 			if (result != CRYPTO_SUCCESS) {
1339 				cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1340 					"crypto_encrypt_update failed: %0x",
1341 					result);
1342 				goto cleanup;
1343 			}
1344 			/* copy result over original bytes */
1345 			/* make another copy for the next XOR step */
1346 			bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN,
1347 				tmp, DEFAULT_AES_BLOCKLEN);
1348 		}
1349 		/* XOR cipher text from n-3 with plain text from n-2 */
1350 		xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1351 
1352 		pt.cd_raw.iov_base = (char *)tmp;
1353 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1354 
1355 		ct.cd_raw.iov_base = (char *)tmp2;
1356 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1357 
1358 		/* encrypt XOR-ed block N-2 */
1359 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1360 				&pt, &ct, NULL);
1361 		if (result != CRYPTO_SUCCESS) {
1362 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1363 				"crypto_encrypt_update(2) failed: %0x",
1364 				result);
1365 			goto cleanup;
1366 		}
1367 		nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN;
1368 
1369 		bzero(tmp3, sizeof (tmp3));
1370 		/* Save final plaintext bytes from n-1 */
1371 		bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1372 			nleft);
1373 
1374 		/* Overwrite n-1 with cipher text from n-2 */
1375 		bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1376 			nleft);
1377 
1378 		bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN);
1379 		/* XOR cipher text from n-1 with plain text from n-1 */
1380 		xorblock(tmp, tmp3);
1381 
1382 		pt.cd_raw.iov_base = (char *)tmp;
1383 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1384 
1385 		ct.cd_raw.iov_base = (char *)tmp2;
1386 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1387 
1388 		/* encrypt block N-2 */
1389 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1390 			&pt, &ct, NULL);
1391 
1392 		if (result != CRYPTO_SUCCESS) {
1393 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1394 				"crypto_encrypt_update(3) failed: %0x",
1395 				result);
1396 			goto cleanup;
1397 		}
1398 
1399 		bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1400 			DEFAULT_AES_BLOCKLEN);
1401 
1402 
1403 		ct.cd_raw.iov_base = (char *)tmp2;
1404 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1405 
1406 		/*
1407 		 * Ignore the output on the final step.
1408 		 */
1409 		result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL);
1410 		if (result != CRYPTO_SUCCESS) {
1411 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1412 				"crypto_encrypt_final(3) failed: %0x",
1413 				result);
1414 		}
1415 		tmi->enc_data.ctx = NULL;
1416 	}
1417 cleanup:
1418 	bzero(tmp, sizeof (tmp));
1419 	bzero(tmp2, sizeof (tmp));
1420 	bzero(tmp3, sizeof (tmp));
1421 	bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
1422 	return (result);
1423 }
1424 
1425 static int
1426 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length)
1427 {
1428 	int result = CRYPTO_SUCCESS;
1429 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1430 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1431 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1432 	int nblocks = 0, blockno;
1433 	crypto_data_t ct, pt;
1434 	crypto_mechanism_t mech;
1435 
1436 	mech.cm_type = tmi->enc_data.mech_type;
1437 
1438 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1439 	    tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) {
1440 		bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1441 		mech.cm_param = tmi->dec_data.ivec;
1442 		mech.cm_param_len = tmi->dec_data.ivlen;
1443 	} else {
1444 		bzero(tmp, sizeof (tmp));
1445 		mech.cm_param_len = 0;
1446 		mech.cm_param = NULL;
1447 	}
1448 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1449 
1450 	bzero(&pt, sizeof (pt));
1451 	bzero(&ct, sizeof (ct));
1452 
1453 	if (nblocks == 1) {
1454 		ct.cd_format = CRYPTO_DATA_RAW;
1455 		ct.cd_length = length;
1456 		ct.cd_raw.iov_base = (char *)buff;
1457 		ct.cd_raw.iov_len = length;
1458 
1459 		result = crypto_decrypt(&mech, &ct,
1460 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1461 
1462 		if (result != CRYPTO_SUCCESS) {
1463 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1464 				"crypto_decrypt failed: %0x", result);
1465 			goto cleanup;
1466 		}
1467 	} else {
1468 		ct.cd_format = CRYPTO_DATA_RAW;
1469 		ct.cd_offset = 0;
1470 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1471 
1472 		pt.cd_format = CRYPTO_DATA_RAW;
1473 		pt.cd_offset = 0;
1474 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1475 
1476 		result = crypto_encrypt_init(&mech,
1477 				&tmi->dec_data.d_encr_key,
1478 				tmi->dec_data.enc_tmpl,
1479 				&tmi->dec_data.ctx, NULL);
1480 
1481 		if (result != CRYPTO_SUCCESS) {
1482 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1483 				"crypto_decrypt_init failed: %0x", result);
1484 			goto cleanup;
1485 		}
1486 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1487 			ct.cd_raw.iov_base = (char *)buff +
1488 				(blockno * DEFAULT_AES_BLOCKLEN);
1489 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1490 
1491 			pt.cd_raw.iov_base = (char *)tmp2;
1492 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1493 
1494 			/*
1495 			 * Save the input to the decrypt so it can
1496 			 * be used later for an XOR operation
1497 			 */
1498 			bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN),
1499 				tmi->dec_data.block, DEFAULT_AES_BLOCKLEN);
1500 
1501 			result = crypto_decrypt_update(&tmi->dec_data.ctx,
1502 					&ct, &pt, NULL);
1503 			if (result != CRYPTO_SUCCESS) {
1504 				cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1505 					"crypto_decrypt_update(1) error - "
1506 					"result = 0x%08x", result);
1507 				goto cleanup;
1508 			}
1509 			xorblock(tmp2, tmp);
1510 			bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN,
1511 				DEFAULT_AES_BLOCKLEN);
1512 			/*
1513 			 * The original cipher text is used as the xor
1514 			 * for the next block, save it here.
1515 			 */
1516 			bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN);
1517 		}
1518 		ct.cd_raw.iov_base = (char *)buff +
1519 			((nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1520 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1521 		pt.cd_raw.iov_base = (char *)tmp2;
1522 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1523 
1524 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1525 				&ct, &pt, NULL);
1526 		if (result != CRYPTO_SUCCESS) {
1527 			cmn_err(CE_WARN,
1528 				"aes_cbc_cts_decrypt: "
1529 				"crypto_decrypt_update(2) error -"
1530 				" result = 0x%08x", result);
1531 			goto cleanup;
1532 		}
1533 		bzero(tmp3, sizeof (tmp3));
1534 		bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1535 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1536 
1537 		xorblock(tmp2, tmp3);
1538 		bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1539 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1540 
1541 		/* 2nd to last block ... */
1542 		bcopy(tmp3, tmp2,
1543 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1544 
1545 		ct.cd_raw.iov_base = (char *)tmp2;
1546 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1547 		pt.cd_raw.iov_base = (char *)tmp3;
1548 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1549 
1550 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1551 				&ct, &pt, NULL);
1552 		if (result != CRYPTO_SUCCESS) {
1553 			cmn_err(CE_WARN,
1554 				"aes_cbc_cts_decrypt: "
1555 				"crypto_decrypt_update(3) error - "
1556 				"result = 0x%08x", result);
1557 			goto cleanup;
1558 		}
1559 		xorblock(tmp3, tmp);
1560 
1561 
1562 		/* Finally, update the 2nd to last block and we are done. */
1563 		bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1564 			DEFAULT_AES_BLOCKLEN);
1565 
1566 		/* Do Final step, but ignore output */
1567 		pt.cd_raw.iov_base = (char *)tmp2;
1568 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1569 		result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL);
1570 		if (result != CRYPTO_SUCCESS) {
1571 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1572 				"crypto_decrypt_final error - "
1573 				"result = 0x%0x", result);
1574 		}
1575 		tmi->dec_data.ctx = NULL;
1576 	}
1577 
1578 cleanup:
1579 	bzero(tmp, sizeof (tmp));
1580 	bzero(tmp2, sizeof (tmp));
1581 	bzero(tmp3, sizeof (tmp));
1582 	bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
1583 	return (result);
1584 }
1585 
1586 /*
1587  * AES decrypt
1588  *
1589  * format of ciphertext when using AES
1590  *  +-------------+------------+------------+
1591  *  |  confounder | msg-data   |  hmac      |
1592  *  +-------------+------------+------------+
1593  */
1594 static mblk_t *
1595 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1596 	hash_info_t *hash)
1597 {
1598 	int result;
1599 	size_t enclen;
1600 	size_t inlen;
1601 	uchar_t hmacbuff[64];
1602 	uchar_t tmpiv[DEFAULT_AES_BLOCKLEN];
1603 
1604 	inlen = (size_t)MBLKL(mp);
1605 
1606 	enclen = inlen - AES_TRUNCATED_HMAC_LEN;
1607 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1608 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) {
1609 		int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) /
1610 				DEFAULT_AES_BLOCKLEN;
1611 		bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2),
1612 			tmpiv, DEFAULT_AES_BLOCKLEN);
1613 	}
1614 
1615 	/* AES Decrypt */
1616 	result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen);
1617 
1618 	if (result != CRYPTO_SUCCESS) {
1619 		cmn_err(CE_WARN,
1620 			"aes_decrypt:  aes_cbc_cts_decrypt "
1621 			"failed - error %0x", result);
1622 		goto cleanup;
1623 	}
1624 
1625 	/* Verify the HMAC */
1626 	result = do_hmac(sha1_hmac_mech,
1627 			&tmi->dec_data.d_hmac_key,
1628 			(char *)mp->b_rptr, enclen,
1629 			(char *)hmacbuff, hash->hash_len);
1630 
1631 	if (result != CRYPTO_SUCCESS) {
1632 		cmn_err(CE_WARN,
1633 			"aes_decrypt:  do_hmac failed - error %0x", result);
1634 		goto cleanup;
1635 	}
1636 
1637 	if (bcmp(hmacbuff, mp->b_rptr + enclen,
1638 		AES_TRUNCATED_HMAC_LEN) != 0) {
1639 		result = -1;
1640 		cmn_err(CE_WARN, "aes_decrypt: checksum verification failed");
1641 		goto cleanup;
1642 	}
1643 
1644 	/* truncate the mblk at the end of the decrypted text */
1645 	mp->b_wptr = mp->b_rptr + enclen;
1646 
1647 	/* Adjust the beginning of the buffer to skip the confounder */
1648 	mp->b_rptr += DEFAULT_AES_BLOCKLEN;
1649 
1650 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1651 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0)
1652 		bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN);
1653 
1654 cleanup:
1655 	if (result != CRYPTO_SUCCESS) {
1656 		mp->b_datap->db_type = M_ERROR;
1657 		mp->b_rptr = mp->b_datap->db_base;
1658 		*mp->b_rptr = EIO;
1659 		mp->b_wptr = mp->b_rptr + sizeof (char);
1660 		freemsg(mp->b_cont);
1661 		mp->b_cont = NULL;
1662 		qreply(WR(q), mp);
1663 		return (NULL);
1664 	}
1665 	return (mp);
1666 }
1667 
1668 /*
1669  * AES encrypt
1670  *
1671  * format of ciphertext when using AES
1672  *  +-------------+------------+------------+
1673  *  |  confounder | msg-data   |  hmac      |
1674  *  +-------------+------------+------------+
1675  */
1676 static mblk_t *
1677 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1678 	hash_info_t *hash)
1679 {
1680 	int result;
1681 	size_t cipherlen;
1682 	size_t inlen;
1683 	uchar_t hmacbuff[64];
1684 
1685 	inlen = (size_t)MBLKL(mp);
1686 
1687 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
1688 
1689 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1690 
1691 	/*
1692 	 * Shift the rptr back enough to insert the confounder.
1693 	 */
1694 	mp->b_rptr -= DEFAULT_AES_BLOCKLEN;
1695 
1696 	/* Get random data for confounder */
1697 	(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
1698 		DEFAULT_AES_BLOCKLEN);
1699 
1700 	/*
1701 	 * Because we encrypt in-place, we need to calculate
1702 	 * the HMAC of the plaintext now, then stick it on
1703 	 * the end of the ciphertext down below.
1704 	 */
1705 	result = do_hmac(sha1_hmac_mech,
1706 			&tmi->enc_data.d_hmac_key,
1707 			(char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen,
1708 			(char *)hmacbuff, hash->hash_len);
1709 
1710 	if (result != CRYPTO_SUCCESS) {
1711 		cmn_err(CE_WARN, "aes_encrypt:  do_hmac failed - error %0x",
1712 			result);
1713 		goto cleanup;
1714 	}
1715 	/* Encrypt using AES-CBC-CTS */
1716 	result = aes_cbc_cts_encrypt(tmi, mp->b_rptr,
1717 		inlen + DEFAULT_AES_BLOCKLEN);
1718 
1719 	if (result != CRYPTO_SUCCESS) {
1720 		cmn_err(CE_WARN, "aes_encrypt:  aes_cbc_cts_encrypt "
1721 			"failed - error %0x", result);
1722 		goto cleanup;
1723 	}
1724 
1725 	/* copy the truncated HMAC to the end of the mblk */
1726 	bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen,
1727 		AES_TRUNCATED_HMAC_LEN);
1728 
1729 	mp->b_wptr = mp->b_rptr + cipherlen;
1730 
1731 	/*
1732 	 * The final block of cipher text (not the HMAC) is used
1733 	 * as the next IV.
1734 	 */
1735 	if (tmi->enc_data.ivec_usage != IVEC_NEVER &&
1736 	    tmi->enc_data.ivec != NULL) {
1737 		int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) /
1738 			DEFAULT_AES_BLOCKLEN;
1739 
1740 		bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1741 			tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN);
1742 	}
1743 
1744 cleanup:
1745 	if (result != CRYPTO_SUCCESS) {
1746 		mp->b_datap->db_type = M_ERROR;
1747 		mp->b_rptr = mp->b_datap->db_base;
1748 		*mp->b_rptr = EIO;
1749 		mp->b_wptr = mp->b_rptr + sizeof (char);
1750 		freemsg(mp->b_cont);
1751 		mp->b_cont = NULL;
1752 		qreply(WR(q), mp);
1753 		return (NULL);
1754 	}
1755 	return (mp);
1756 }
1757 
1758 /*
1759  * ARCFOUR-HMAC-MD5 decrypt
1760  *
1761  * format of ciphertext when using ARCFOUR-HMAC-MD5
1762  *  +-----------+------------+------------+
1763  *  |  hmac     | confounder |  msg-data  |
1764  *  +-----------+------------+------------+
1765  *
1766  */
1767 static mblk_t *
1768 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1769 			hash_info_t *hash)
1770 {
1771 	int result;
1772 	size_t cipherlen;
1773 	size_t inlen;
1774 	size_t saltlen;
1775 	crypto_key_t k1, k2;
1776 	crypto_data_t indata;
1777 	iovec_t v1;
1778 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1779 				0xab, 0xab, 0xab, 0xab };
1780 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1781 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1782 	uchar_t cksum[MD5_HASHSIZE];
1783 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1784 	crypto_mechanism_t mech;
1785 	int usage;
1786 
1787 	/* The usage constant is 1026 for all "old" rcmd mode operations */
1788 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1789 		usage = RCMDV1_USAGE;
1790 	else
1791 		usage = ARCFOUR_DECRYPT_USAGE;
1792 
1793 	/*
1794 	 * The size at this point should be the size of
1795 	 * all the plaintext plus the optional plaintext length
1796 	 * needed for RCMD V2 mode.  There should also be room
1797 	 * at the head of the mblk for the confounder and hash info.
1798 	 */
1799 	inlen = (size_t)MBLKL(mp);
1800 
1801 	/*
1802 	 * The cipherlen does not include the HMAC at the
1803 	 * head of the buffer.
1804 	 */
1805 	cipherlen = inlen - hash->hash_len;
1806 
1807 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1808 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1809 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
1810 		saltdata[9] = 0;
1811 		saltdata[10] = usage & 0xff;
1812 		saltdata[11] = (usage >> 8) & 0xff;
1813 		saltdata[12] = (usage >> 16) & 0xff;
1814 		saltdata[13] = (usage >> 24) & 0xff;
1815 		saltlen = 14;
1816 	} else {
1817 		saltdata[0] = usage & 0xff;
1818 		saltdata[1] = (usage >> 8) & 0xff;
1819 		saltdata[2] = (usage >> 16) & 0xff;
1820 		saltdata[3] = (usage >> 24) & 0xff;
1821 		saltlen = 4;
1822 	}
1823 	/*
1824 	 * Use the salt value to create a key to be used
1825 	 * for subsequent HMAC operations.
1826 	 */
1827 	result = do_hmac(md5_hmac_mech,
1828 			tmi->dec_data.ckey,
1829 			(char *)saltdata, saltlen,
1830 			(char *)k1data, sizeof (k1data));
1831 	if (result != CRYPTO_SUCCESS) {
1832 		cmn_err(CE_WARN,
1833 			"arcfour_hmac_md5_decrypt:  do_hmac(k1)"
1834 			"failed - error %0x", result);
1835 		goto cleanup;
1836 	}
1837 	bcopy(k1data, k2data, sizeof (k1data));
1838 
1839 	/*
1840 	 * For the neutered MS RC4 encryption type,
1841 	 * set the trailing 9 bytes to 0xab per the
1842 	 * RC4-HMAC spec.
1843 	 */
1844 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1845 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
1846 	}
1847 
1848 	mech.cm_type = tmi->dec_data.mech_type;
1849 	mech.cm_param = NULL;
1850 	mech.cm_param_len = 0;
1851 
1852 	/*
1853 	 * If we have not yet initialized the decryption key,
1854 	 * context, and template, do it now.
1855 	 */
1856 	if (tmi->dec_data.ctx == NULL ||
1857 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
1858 		k1.ck_format = CRYPTO_KEY_RAW;
1859 		k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8;
1860 		k1.ck_data = k1data;
1861 
1862 		tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW;
1863 		tmi->dec_data.d_encr_key.ck_length = k1.ck_length;
1864 		if (tmi->dec_data.d_encr_key.ck_data == NULL)
1865 			tmi->dec_data.d_encr_key.ck_data = kmem_zalloc(
1866 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
1867 
1868 		/*
1869 		 * HMAC operation creates the encryption
1870 		 * key to be used for the decrypt operations.
1871 		 */
1872 		result = do_hmac(md5_hmac_mech, &k1,
1873 			(char *)mp->b_rptr, hash->hash_len,
1874 			(char *)tmi->dec_data.d_encr_key.ck_data,
1875 			CRYPT_ARCFOUR_KEYBYTES);
1876 
1877 
1878 		if (result != CRYPTO_SUCCESS) {
1879 			cmn_err(CE_WARN,
1880 				"arcfour_hmac_md5_decrypt:  do_hmac(k3)"
1881 				"failed - error %0x", result);
1882 			goto cleanup;
1883 		}
1884 	}
1885 
1886 	tmi->dec_data.enc_tmpl = NULL;
1887 
1888 	if (tmi->dec_data.ctx == NULL &&
1889 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
1890 		/*
1891 		 * Only create a template if we are doing
1892 		 * chaining from block to block.
1893 		 */
1894 		result = crypto_create_ctx_template(&mech,
1895 			&tmi->dec_data.d_encr_key,
1896 			&tmi->dec_data.enc_tmpl,
1897 			KM_SLEEP);
1898 		if (result == CRYPTO_NOT_SUPPORTED) {
1899 			tmi->dec_data.enc_tmpl = NULL;
1900 		} else if (result != CRYPTO_SUCCESS) {
1901 			cmn_err(CE_WARN,
1902 				"arcfour_hmac_md5_decrypt:  "
1903 				"failed to create dec template "
1904 				"for RC4 encrypt: %0x", result);
1905 			goto cleanup;
1906 		}
1907 
1908 		result = crypto_decrypt_init(&mech,
1909 			&tmi->dec_data.d_encr_key,
1910 			tmi->dec_data.enc_tmpl,
1911 			&tmi->dec_data.ctx, NULL);
1912 
1913 		if (result != CRYPTO_SUCCESS) {
1914 			cmn_err(CE_WARN, "crypto_decrypt_init failed:"
1915 				" %0x", result);
1916 			goto cleanup;
1917 		}
1918 	}
1919 
1920 	/* adjust the rptr so we don't decrypt the original hmac field */
1921 
1922 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
1923 	v1.iov_len = cipherlen;
1924 
1925 	indata.cd_format = CRYPTO_DATA_RAW;
1926 	indata.cd_offset = 0;
1927 	indata.cd_length = cipherlen;
1928 	indata.cd_raw = v1;
1929 
1930 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
1931 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1932 			&indata, NULL, NULL);
1933 	else
1934 		result = crypto_decrypt(&mech, &indata,
1935 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1936 
1937 	if (result != CRYPTO_SUCCESS) {
1938 		cmn_err(CE_WARN, "crypto_decrypt_update failed:"
1939 			" %0x", result);
1940 		goto cleanup;
1941 	}
1942 
1943 	k2.ck_format = CRYPTO_KEY_RAW;
1944 	k2.ck_length = sizeof (k2data) * 8;
1945 	k2.ck_data = k2data;
1946 
1947 	result = do_hmac(md5_hmac_mech,
1948 			&k2,
1949 			(char *)mp->b_rptr + hash->hash_len, cipherlen,
1950 			(char *)cksum, hash->hash_len);
1951 
1952 	if (result != CRYPTO_SUCCESS) {
1953 		cmn_err(CE_WARN,
1954 			"arcfour_hmac_md5_decrypt:  do_hmac(k2)"
1955 			"failed - error %0x", result);
1956 		goto cleanup;
1957 	}
1958 
1959 	if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) {
1960 		cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed");
1961 		result = -1;
1962 		goto cleanup;
1963 	}
1964 
1965 	/*
1966 	 * adjust the start of the mblk to skip over the
1967 	 * hash and confounder.
1968 	 */
1969 	mp->b_rptr += hash->hash_len + hash->confound_len;
1970 
1971 cleanup:
1972 	bzero(k1data, sizeof (k1data));
1973 	bzero(k2data, sizeof (k2data));
1974 	bzero(cksum, sizeof (cksum));
1975 	bzero(saltdata, sizeof (saltdata));
1976 	if (result != CRYPTO_SUCCESS) {
1977 		mp->b_datap->db_type = M_ERROR;
1978 		mp->b_rptr = mp->b_datap->db_base;
1979 		*mp->b_rptr = EIO;
1980 		mp->b_wptr = mp->b_rptr + sizeof (char);
1981 		freemsg(mp->b_cont);
1982 		mp->b_cont = NULL;
1983 		qreply(WR(q), mp);
1984 		return (NULL);
1985 	}
1986 	return (mp);
1987 }
1988 
1989 /*
1990  * ARCFOUR-HMAC-MD5 encrypt
1991  *
1992  * format of ciphertext when using ARCFOUR-HMAC-MD5
1993  *  +-----------+------------+------------+
1994  *  |  hmac     | confounder |  msg-data  |
1995  *  +-----------+------------+------------+
1996  *
1997  */
1998 static mblk_t *
1999 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
2000 			hash_info_t *hash)
2001 {
2002 	int result;
2003 	size_t cipherlen;
2004 	size_t inlen;
2005 	size_t saltlen;
2006 	crypto_key_t k1, k2;
2007 	crypto_data_t indata;
2008 	iovec_t v1;
2009 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
2010 				0xab, 0xab, 0xab, 0xab };
2011 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
2012 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
2013 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
2014 	crypto_mechanism_t mech;
2015 	int usage;
2016 
2017 	/* The usage constant is 1026 for all "old" rcmd mode operations */
2018 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
2019 		usage = RCMDV1_USAGE;
2020 	else
2021 		usage = ARCFOUR_ENCRYPT_USAGE;
2022 
2023 	mech.cm_type = tmi->enc_data.mech_type;
2024 	mech.cm_param = NULL;
2025 	mech.cm_param_len = 0;
2026 
2027 	/*
2028 	 * The size at this point should be the size of
2029 	 * all the plaintext plus the optional plaintext length
2030 	 * needed for RCMD V2 mode.  There should also be room
2031 	 * at the head of the mblk for the confounder and hash info.
2032 	 */
2033 	inlen = (size_t)MBLKL(mp);
2034 
2035 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2036 
2037 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2038 
2039 	/*
2040 	 * Shift the rptr back enough to insert
2041 	 * the confounder and hash.
2042 	 */
2043 	mp->b_rptr -= (hash->confound_len + hash->hash_len);
2044 
2045 	/* zero out the hash area */
2046 	bzero(mp->b_rptr, (size_t)hash->hash_len);
2047 
2048 	if (cipherlen > inlen) {
2049 		bzero(mp->b_wptr, MBLKTAIL(mp));
2050 	}
2051 
2052 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2053 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
2054 		saltdata[9] = 0;
2055 		saltdata[10] = usage & 0xff;
2056 		saltdata[11] = (usage >> 8) & 0xff;
2057 		saltdata[12] = (usage >> 16) & 0xff;
2058 		saltdata[13] = (usage >> 24) & 0xff;
2059 		saltlen = 14;
2060 	} else {
2061 		saltdata[0] = usage & 0xff;
2062 		saltdata[1] = (usage >> 8) & 0xff;
2063 		saltdata[2] = (usage >> 16) & 0xff;
2064 		saltdata[3] = (usage >> 24) & 0xff;
2065 		saltlen = 4;
2066 	}
2067 	/*
2068 	 * Use the salt value to create a key to be used
2069 	 * for subsequent HMAC operations.
2070 	 */
2071 	result = do_hmac(md5_hmac_mech,
2072 			tmi->enc_data.ckey,
2073 			(char *)saltdata, saltlen,
2074 			(char *)k1data, sizeof (k1data));
2075 	if (result != CRYPTO_SUCCESS) {
2076 		cmn_err(CE_WARN,
2077 			"arcfour_hmac_md5_encrypt:  do_hmac(k1)"
2078 			"failed - error %0x", result);
2079 		goto cleanup;
2080 	}
2081 
2082 	bcopy(k1data, k2data, sizeof (k2data));
2083 
2084 	/*
2085 	 * For the neutered MS RC4 encryption type,
2086 	 * set the trailing 9 bytes to 0xab per the
2087 	 * RC4-HMAC spec.
2088 	 */
2089 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2090 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
2091 	}
2092 
2093 	/*
2094 	 * Get the confounder bytes.
2095 	 */
2096 	(void) random_get_pseudo_bytes(
2097 			(uint8_t *)(mp->b_rptr + hash->hash_len),
2098 			(size_t)hash->confound_len);
2099 
2100 	k2.ck_data = k2data;
2101 	k2.ck_format = CRYPTO_KEY_RAW;
2102 	k2.ck_length = sizeof (k2data) * 8;
2103 
2104 	/*
2105 	 * This writes the HMAC to the hash area in the
2106 	 * mblk.  The key used is the one just created by
2107 	 * the previous HMAC operation.
2108 	 * The data being processed is the confounder bytes
2109 	 * PLUS the input plaintext.
2110 	 */
2111 	result = do_hmac(md5_hmac_mech, &k2,
2112 			(char *)mp->b_rptr + hash->hash_len,
2113 			hash->confound_len + inlen,
2114 			(char *)mp->b_rptr, hash->hash_len);
2115 	if (result != CRYPTO_SUCCESS) {
2116 		cmn_err(CE_WARN,
2117 			"arcfour_hmac_md5_encrypt:  do_hmac(k2)"
2118 			"failed - error %0x", result);
2119 		goto cleanup;
2120 	}
2121 	/*
2122 	 * Because of the odd way that MIT uses RC4 keys
2123 	 * on the rlogin stream, we only need to create
2124 	 * this key once.
2125 	 * However, if using "old" rcmd mode, we need to do
2126 	 * it every time.
2127 	 */
2128 	if (tmi->enc_data.ctx == NULL ||
2129 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
2130 		crypto_key_t *key = &tmi->enc_data.d_encr_key;
2131 
2132 		k1.ck_data = k1data;
2133 		k1.ck_format = CRYPTO_KEY_RAW;
2134 		k1.ck_length = sizeof (k1data) * 8;
2135 
2136 		key->ck_format = CRYPTO_KEY_RAW;
2137 		key->ck_length = k1.ck_length;
2138 		if (key->ck_data == NULL)
2139 			key->ck_data = kmem_zalloc(
2140 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
2141 
2142 		/*
2143 		 * The final HMAC operation creates the encryption
2144 		 * key to be used for the encrypt operation.
2145 		 */
2146 		result = do_hmac(md5_hmac_mech, &k1,
2147 			(char *)mp->b_rptr, hash->hash_len,
2148 			(char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES);
2149 
2150 		if (result != CRYPTO_SUCCESS) {
2151 			cmn_err(CE_WARN,
2152 				"arcfour_hmac_md5_encrypt:  do_hmac(k3)"
2153 				"failed - error %0x", result);
2154 			goto cleanup;
2155 		}
2156 	}
2157 
2158 	/*
2159 	 * If the context has not been initialized, do it now.
2160 	 */
2161 	if (tmi->enc_data.ctx == NULL &&
2162 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
2163 		/*
2164 		 * Only create a template if we are doing
2165 		 * chaining from block to block.
2166 		 */
2167 		result = crypto_create_ctx_template(&mech,
2168 				&tmi->enc_data.d_encr_key,
2169 				&tmi->enc_data.enc_tmpl,
2170 				KM_SLEEP);
2171 		if (result == CRYPTO_NOT_SUPPORTED) {
2172 			tmi->enc_data.enc_tmpl = NULL;
2173 		} else if (result != CRYPTO_SUCCESS) {
2174 			cmn_err(CE_WARN, "failed to create enc template "
2175 				"for RC4 encrypt: %0x", result);
2176 			goto cleanup;
2177 		}
2178 
2179 		result = crypto_encrypt_init(&mech,
2180 					&tmi->enc_data.d_encr_key,
2181 					tmi->enc_data.enc_tmpl,
2182 					&tmi->enc_data.ctx, NULL);
2183 		if (result != CRYPTO_SUCCESS) {
2184 			cmn_err(CE_WARN, "crypto_encrypt_init failed:"
2185 				" %0x", result);
2186 			goto cleanup;
2187 		}
2188 	}
2189 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
2190 	v1.iov_len = hash->confound_len + inlen;
2191 
2192 	indata.cd_format = CRYPTO_DATA_RAW;
2193 	indata.cd_offset = 0;
2194 	indata.cd_length = hash->confound_len + inlen;
2195 	indata.cd_raw = v1;
2196 
2197 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2198 		result = crypto_encrypt_update(tmi->enc_data.ctx,
2199 			&indata, NULL, NULL);
2200 	else
2201 		result = crypto_encrypt(&mech, &indata,
2202 			&tmi->enc_data.d_encr_key, NULL,
2203 			NULL, NULL);
2204 
2205 	if (result != CRYPTO_SUCCESS) {
2206 		cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x",
2207 			result);
2208 	}
2209 
2210 cleanup:
2211 	bzero(k1data, sizeof (k1data));
2212 	bzero(k2data, sizeof (k2data));
2213 	bzero(saltdata, sizeof (saltdata));
2214 	if (result != CRYPTO_SUCCESS) {
2215 		mp->b_datap->db_type = M_ERROR;
2216 		mp->b_rptr = mp->b_datap->db_base;
2217 		*mp->b_rptr = EIO;
2218 		mp->b_wptr = mp->b_rptr + sizeof (char);
2219 		freemsg(mp->b_cont);
2220 		mp->b_cont = NULL;
2221 		qreply(WR(q), mp);
2222 		return (NULL);
2223 	}
2224 	return (mp);
2225 }
2226 
2227 /*
2228  * DES-CBC-[HASH] encrypt
2229  *
2230  * Needed to support userland apps that must support Kerberos V5
2231  * encryption DES-CBC encryption modes.
2232  *
2233  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2234  *
2235  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2236  *  +-----------+----------+-------------+-----+
2237  *  |confounder |  cksum   |   msg-data  | pad |
2238  *  +-----------+----------+-------------+-----+
2239  *
2240  * format of ciphertext when using DES3-SHA1-HMAC
2241  *  +-----------+----------+-------------+-----+
2242  *  |confounder |  msg-data  |   hmac    | pad |
2243  *  +-----------+----------+-------------+-----+
2244  *
2245  *  The confounder is 8 bytes of random data.
2246  *  The cksum depends on the hash being used.
2247  *   4 bytes for CRC32
2248  *  16 bytes for MD5
2249  *  20 bytes for SHA1
2250  *   0 bytes for RAW
2251  *
2252  */
2253 static mblk_t *
2254 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2255 {
2256 	int result;
2257 	size_t cipherlen;
2258 	size_t inlen;
2259 	size_t plainlen;
2260 
2261 	/*
2262 	 * The size at this point should be the size of
2263 	 * all the plaintext plus the optional plaintext length
2264 	 * needed for RCMD V2 mode.  There should also be room
2265 	 * at the head of the mblk for the confounder and hash info.
2266 	 */
2267 	inlen = (size_t)MBLKL(mp);
2268 
2269 	/*
2270 	 * The output size will be a multiple of 8 because this algorithm
2271 	 * only works on 8 byte chunks.
2272 	 */
2273 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2274 
2275 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2276 
2277 	if (cipherlen > inlen) {
2278 		bzero(mp->b_wptr, MBLKTAIL(mp));
2279 	}
2280 
2281 	/*
2282 	 * Shift the rptr back enough to insert
2283 	 * the confounder and hash.
2284 	 */
2285 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2286 		mp->b_rptr -= hash->confound_len;
2287 	} else {
2288 		mp->b_rptr -= (hash->confound_len + hash->hash_len);
2289 
2290 		/* zero out the hash area */
2291 		bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len);
2292 	}
2293 
2294 	/* get random confounder from our friend, the 'random' module */
2295 	if (hash->confound_len > 0) {
2296 		(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
2297 				    (size_t)hash->confound_len);
2298 	}
2299 
2300 	/*
2301 	 * For 3DES we calculate an HMAC later.
2302 	 */
2303 	if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) {
2304 		/* calculate chksum of confounder + input */
2305 		if (hash->hash_len > 0 && hash->hashfunc != NULL) {
2306 			uchar_t cksum[MAX_CKSUM_LEN];
2307 
2308 			result = hash->hashfunc(cksum, mp->b_rptr,
2309 				cipherlen);
2310 			if (result != CRYPTO_SUCCESS) {
2311 				goto failure;
2312 			}
2313 
2314 			/* put hash in place right after the confounder */
2315 			bcopy(cksum, (mp->b_rptr + hash->confound_len),
2316 			    (size_t)hash->hash_len);
2317 		}
2318 	}
2319 	/*
2320 	 * In order to support the "old" Kerberos RCMD protocol,
2321 	 * we must use the IVEC 3 different ways:
2322 	 *   IVEC_REUSE = keep using the same IV each time, this is
2323 	 *		ugly and insecure, but necessary for
2324 	 *		backwards compatibility with existing MIT code.
2325 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2326 	 *		was setup (see setup_crypto routine).
2327 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2328 	 */
2329 	if (tmi->enc_data.ivec_usage == IVEC_NEVER) {
2330 		bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
2331 	} else if (tmi->enc_data.ivec_usage == IVEC_REUSE) {
2332 		bcopy(tmi->enc_data.ivec, tmi->enc_data.block,
2333 		    tmi->enc_data.blocklen);
2334 	}
2335 
2336 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2337 		/*
2338 		 * The input length already included the hash size,
2339 		 * don't include this in the plaintext length
2340 		 * calculations.
2341 		 */
2342 		plainlen = cipherlen - hash->hash_len;
2343 
2344 		mp->b_wptr = mp->b_rptr + plainlen;
2345 
2346 		result = kef_encr_hmac(&tmi->enc_data,
2347 			(void *)mp, (size_t)plainlen,
2348 			(char *)(mp->b_rptr + plainlen),
2349 			hash->hash_len);
2350 	} else {
2351 		ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp));
2352 		mp->b_wptr = mp->b_rptr + cipherlen;
2353 		result = kef_crypt(&tmi->enc_data, (void *)mp,
2354 			CRYPTO_DATA_MBLK, (size_t)cipherlen,
2355 			CRYPT_ENCRYPT);
2356 	}
2357 failure:
2358 	if (result != CRYPTO_SUCCESS) {
2359 #ifdef DEBUG
2360 		cmn_err(CE_WARN,
2361 			"des_cbc_encrypt: kef_crypt encrypt "
2362 			"failed (len: %ld) - error %0x",
2363 			cipherlen, result);
2364 #endif
2365 		mp->b_datap->db_type = M_ERROR;
2366 		mp->b_rptr = mp->b_datap->db_base;
2367 		*mp->b_rptr = EIO;
2368 		mp->b_wptr = mp->b_rptr + sizeof (char);
2369 		freemsg(mp->b_cont);
2370 		mp->b_cont = NULL;
2371 		qreply(WR(q), mp);
2372 		return (NULL);
2373 	} else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) {
2374 		/*
2375 		 * Because we are using KEF, we must manually
2376 		 * update our IV.
2377 		 */
2378 		bcopy(mp->b_wptr - tmi->enc_data.ivlen,
2379 			tmi->enc_data.block, tmi->enc_data.ivlen);
2380 	}
2381 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2382 		mp->b_wptr = mp->b_rptr + cipherlen;
2383 	}
2384 
2385 	return (mp);
2386 }
2387 
2388 /*
2389  * des_cbc_decrypt
2390  *
2391  *
2392  * Needed to support userland apps that must support Kerberos V5
2393  * encryption DES-CBC decryption modes.
2394  *
2395  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2396  *
2397  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2398  *  +-----------+----------+-------------+-----+
2399  *  |confounder |  cksum   |   msg-data  | pad |
2400  *  +-----------+----------+-------------+-----+
2401  *
2402  * format of ciphertext when using DES3-SHA1-HMAC
2403  *  +-----------+----------+-------------+-----+
2404  *  |confounder |  msg-data  |   hmac    | pad |
2405  *  +-----------+----------+-------------+-----+
2406  *
2407  *  The confounder is 8 bytes of random data.
2408  *  The cksum depends on the hash being used.
2409  *   4 bytes for CRC32
2410  *  16 bytes for MD5
2411  *  20 bytes for SHA1
2412  *   0 bytes for RAW
2413  *
2414  */
2415 static mblk_t *
2416 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2417 {
2418 	uint_t inlen, datalen;
2419 	int result = 0;
2420 	uchar_t *optr = NULL;
2421 	uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN];
2422 	uchar_t nextiv[DEFAULT_DES_BLOCKLEN];
2423 
2424 	/* Compute adjusted size */
2425 	inlen = MBLKL(mp);
2426 
2427 	optr = mp->b_rptr;
2428 
2429 	/*
2430 	 * In order to support the "old" Kerberos RCMD protocol,
2431 	 * we must use the IVEC 3 different ways:
2432 	 *   IVEC_REUSE = keep using the same IV each time, this is
2433 	 *		ugly and insecure, but necessary for
2434 	 *		backwards compatibility with existing MIT code.
2435 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2436 	 *		was setup (see setup_crypto routine).
2437 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2438 	 */
2439 	if (tmi->dec_data.ivec_usage == IVEC_NEVER)
2440 		bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
2441 	else if (tmi->dec_data.ivec_usage == IVEC_REUSE)
2442 		bcopy(tmi->dec_data.ivec, tmi->dec_data.block,
2443 		    tmi->dec_data.blocklen);
2444 
2445 	if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2446 		/*
2447 		 * Do not decrypt the HMAC at the end
2448 		 */
2449 		int decrypt_len = inlen - hash->hash_len;
2450 
2451 		/*
2452 		 * Move the wptr so the mblk appears to end
2453 		 * BEFORE the HMAC section.
2454 		 */
2455 		mp->b_wptr = mp->b_rptr + decrypt_len;
2456 
2457 		/*
2458 		 * Because we are using KEF, we must manually update our
2459 		 * IV.
2460 		 */
2461 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2462 			bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen,
2463 				nextiv, tmi->dec_data.ivlen);
2464 		}
2465 
2466 		result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len,
2467 			(char *)newcksum, hash->hash_len);
2468 	} else {
2469 		/*
2470 		 * Because we are using KEF, we must manually update our
2471 		 * IV.
2472 		 */
2473 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2474 			bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv,
2475 				tmi->dec_data.ivlen);
2476 		}
2477 		result = kef_crypt(&tmi->dec_data, (void *)mp,
2478 			CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT);
2479 	}
2480 	if (result != CRYPTO_SUCCESS) {
2481 #ifdef DEBUG
2482 		cmn_err(CE_WARN,
2483 			"des_cbc_decrypt: kef_crypt decrypt "
2484 			"failed - error %0x", result);
2485 #endif
2486 		mp->b_datap->db_type = M_ERROR;
2487 		mp->b_rptr = mp->b_datap->db_base;
2488 		*mp->b_rptr = EIO;
2489 		mp->b_wptr = mp->b_rptr + sizeof (char);
2490 		freemsg(mp->b_cont);
2491 		mp->b_cont = NULL;
2492 		qreply(WR(q), mp);
2493 		return (NULL);
2494 	}
2495 
2496 	/*
2497 	 * Manually update the IV, KEF does not track this for us.
2498 	 */
2499 	if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2500 		bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen);
2501 	}
2502 
2503 	/* Verify the checksum(if necessary) */
2504 	if (hash->hash_len > 0) {
2505 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2506 			bcopy(mp->b_rptr + inlen - hash->hash_len, cksum,
2507 				hash->hash_len);
2508 		} else {
2509 			bcopy(optr + hash->confound_len, cksum, hash->hash_len);
2510 
2511 			/* zero the cksum in the buffer */
2512 			ASSERT(optr + hash->confound_len + hash->hash_len <=
2513 				DB_LIM(mp));
2514 			bzero(optr + hash->confound_len, hash->hash_len);
2515 
2516 			/* calculate MD5 chksum of confounder + input */
2517 			if (hash->hashfunc) {
2518 				(void) hash->hashfunc(newcksum, optr, inlen);
2519 			}
2520 		}
2521 
2522 		if (bcmp(cksum, newcksum, hash->hash_len)) {
2523 #ifdef DEBUG
2524 			cmn_err(CE_WARN, "des_cbc_decrypt: checksum "
2525 				"verification failed");
2526 #endif
2527 			mp->b_datap->db_type = M_ERROR;
2528 			mp->b_rptr = mp->b_datap->db_base;
2529 			*mp->b_rptr = EIO;
2530 			mp->b_wptr = mp->b_rptr + sizeof (char);
2531 			freemsg(mp->b_cont);
2532 			mp->b_cont = NULL;
2533 			qreply(WR(q), mp);
2534 			return (NULL);
2535 		}
2536 	}
2537 
2538 	datalen = inlen - hash->confound_len - hash->hash_len;
2539 
2540 	/* Move just the decrypted input into place if necessary */
2541 	if (hash->confound_len > 0 || hash->hash_len > 0) {
2542 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1)
2543 			mp->b_rptr += hash->confound_len;
2544 		else
2545 			mp->b_rptr += hash->confound_len + hash->hash_len;
2546 	}
2547 
2548 	ASSERT(mp->b_rptr + datalen <= DB_LIM(mp));
2549 	mp->b_wptr = mp->b_rptr + datalen;
2550 
2551 	return (mp);
2552 }
2553 
2554 static mblk_t *
2555 do_decrypt(queue_t *q, mblk_t *mp)
2556 {
2557 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2558 	mblk_t *outmp;
2559 
2560 	switch (tmi->dec_data.method) {
2561 	case CRYPT_METHOD_DES_CFB:
2562 		outmp = des_cfb_decrypt(q, tmi, mp);
2563 		break;
2564 	case CRYPT_METHOD_NONE:
2565 		outmp = mp;
2566 		break;
2567 	case CRYPT_METHOD_DES_CBC_NULL:
2568 		outmp = des_cbc_decrypt(q, tmi, mp, &null_hash);
2569 		break;
2570 	case CRYPT_METHOD_DES_CBC_MD5:
2571 		outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash);
2572 		break;
2573 	case CRYPT_METHOD_DES_CBC_CRC:
2574 		outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash);
2575 		break;
2576 	case CRYPT_METHOD_DES3_CBC_SHA1:
2577 		outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash);
2578 		break;
2579 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2580 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2581 		outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash);
2582 		break;
2583 	case CRYPT_METHOD_AES128:
2584 	case CRYPT_METHOD_AES256:
2585 		outmp = aes_decrypt(q, tmi, mp, &sha1_hash);
2586 		break;
2587 	}
2588 	return (outmp);
2589 }
2590 
2591 /*
2592  * do_encrypt
2593  *
2594  * Generic encryption routine for a single message block.
2595  * The input mblk may be replaced by some encrypt routines
2596  * because they add extra data in some cases that may exceed
2597  * the input mblk_t size limit.
2598  */
2599 static mblk_t *
2600 do_encrypt(queue_t *q, mblk_t *mp)
2601 {
2602 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2603 	mblk_t *outmp;
2604 
2605 	switch (tmi->enc_data.method) {
2606 	case CRYPT_METHOD_DES_CFB:
2607 		outmp = des_cfb_encrypt(q, tmi, mp);
2608 		break;
2609 	case CRYPT_METHOD_DES_CBC_NULL:
2610 		outmp = des_cbc_encrypt(q, tmi, mp, &null_hash);
2611 		break;
2612 	case CRYPT_METHOD_DES_CBC_MD5:
2613 		outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash);
2614 		break;
2615 	case CRYPT_METHOD_DES_CBC_CRC:
2616 		outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash);
2617 		break;
2618 	case CRYPT_METHOD_DES3_CBC_SHA1:
2619 		outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash);
2620 		break;
2621 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2622 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2623 		outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash);
2624 		break;
2625 	case CRYPT_METHOD_AES128:
2626 	case CRYPT_METHOD_AES256:
2627 		outmp = aes_encrypt(q, tmi, mp, &sha1_hash);
2628 		break;
2629 	case CRYPT_METHOD_NONE:
2630 		outmp = mp;
2631 		break;
2632 	}
2633 	return (outmp);
2634 }
2635 
2636 /*
2637  * setup_crypto
2638  *
2639  * This takes the data from the CRYPTIOCSETUP ioctl
2640  * and sets up a cipher_data_t structure for either
2641  * encryption or decryption.  This is where the
2642  * key and initialization vector data get stored
2643  * prior to beginning any crypto functions.
2644  *
2645  * Special note:
2646  *   Some applications(e.g. telnetd) have ability to switch
2647  * crypto on/off periodically.  Thus, the application may call
2648  * the CRYPTIOCSETUP ioctl many times for the same stream.
2649  * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
2650  * assume that the key, block, and saveblock fields that are already
2651  * set from a previous CRIOCSETUP call are still valid.  This helps avoid
2652  * a rekeying error that could occur if we overwrite these fields
2653  * with each CRYPTIOCSETUP call.
2654  *   In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
2655  * without resetting the original crypto parameters.
2656  *
2657  */
2658 static int
2659 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt)
2660 {
2661 	uint_t newblocklen;
2662 	uint32_t enc_usage = 0, dec_usage = 0;
2663 	int rv;
2664 
2665 	/*
2666 	 * Initial sanity checks
2667 	 */
2668 	if (!CR_METHOD_OK(ci->crypto_method)) {
2669 		cmn_err(CE_WARN, "Illegal crypto method (%d)",
2670 			ci->crypto_method);
2671 		return (EINVAL);
2672 	}
2673 	if (!CR_OPTIONS_OK(ci->option_mask)) {
2674 		cmn_err(CE_WARN, "Illegal crypto options (%d)",
2675 			ci->option_mask);
2676 		return (EINVAL);
2677 	}
2678 	if (!CR_IVUSAGE_OK(ci->ivec_usage)) {
2679 		cmn_err(CE_WARN, "Illegal ivec usage value (%d)",
2680 			ci->ivec_usage);
2681 		return (EINVAL);
2682 	}
2683 
2684 	cd->method = ci->crypto_method;
2685 	cd->bytes = 0;
2686 
2687 	if (ci->keylen > 0) {
2688 		if (cd->key != NULL) {
2689 			kmem_free(cd->key, cd->keylen);
2690 			cd->key = NULL;
2691 			cd->keylen = 0;
2692 		}
2693 		/*
2694 		 * cd->key holds the copy of the raw key bytes passed in
2695 		 * from the userland app.
2696 		 */
2697 		cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP);
2698 
2699 		cd->keylen = ci->keylen;
2700 		bcopy(ci->key, cd->key, (size_t)ci->keylen);
2701 	}
2702 
2703 	/*
2704 	 * Configure the block size based on the type of cipher.
2705 	 */
2706 	switch (cd->method) {
2707 		case CRYPT_METHOD_NONE:
2708 			newblocklen = 0;
2709 			break;
2710 		case CRYPT_METHOD_DES_CFB:
2711 			newblocklen = DEFAULT_DES_BLOCKLEN;
2712 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB);
2713 			break;
2714 		case CRYPT_METHOD_DES_CBC_NULL:
2715 		case CRYPT_METHOD_DES_CBC_MD5:
2716 		case CRYPT_METHOD_DES_CBC_CRC:
2717 			newblocklen = DEFAULT_DES_BLOCKLEN;
2718 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC);
2719 			break;
2720 		case CRYPT_METHOD_DES3_CBC_SHA1:
2721 			newblocklen = DEFAULT_DES_BLOCKLEN;
2722 			cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC);
2723 			/* 3DES always uses the old usage constant */
2724 			enc_usage = RCMDV1_USAGE;
2725 			dec_usage = RCMDV1_USAGE;
2726 			break;
2727 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2728 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2729 			newblocklen = 0;
2730 			cd->mech_type = crypto_mech2id(SUN_CKM_RC4);
2731 			break;
2732 		case CRYPT_METHOD_AES128:
2733 		case CRYPT_METHOD_AES256:
2734 			newblocklen = DEFAULT_AES_BLOCKLEN;
2735 			cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB);
2736 			enc_usage = AES_ENCRYPT_USAGE;
2737 			dec_usage = AES_DECRYPT_USAGE;
2738 			break;
2739 	}
2740 	if (cd->mech_type == CRYPTO_MECH_INVALID) {
2741 		return (CRYPTO_FAILED);
2742 	}
2743 
2744 	/*
2745 	 * If RC4, initialize the master crypto key used by
2746 	 * the RC4 algorithm to derive the final encrypt and decrypt keys.
2747 	 */
2748 	if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) {
2749 		/*
2750 		 * cd->ckey is a kernel crypto key structure used as the
2751 		 * master key in the RC4-HMAC crypto operations.
2752 		 */
2753 		if (cd->ckey == NULL) {
2754 			cd->ckey = (crypto_key_t *)kmem_zalloc(
2755 				sizeof (crypto_key_t), KM_SLEEP);
2756 		}
2757 
2758 		cd->ckey->ck_format = CRYPTO_KEY_RAW;
2759 		cd->ckey->ck_data = cd->key;
2760 
2761 		/* key length for EF is measured in bits */
2762 		cd->ckey->ck_length = cd->keylen * 8;
2763 	}
2764 
2765 	/*
2766 	 * cd->block and cd->saveblock are used as temporary storage for
2767 	 * data that must be carried over between encrypt/decrypt operations
2768 	 * in some of the "feedback" modes.
2769 	 */
2770 	if (newblocklen != cd->blocklen) {
2771 		if (cd->block != NULL) {
2772 			kmem_free(cd->block, cd->blocklen);
2773 			cd->block = NULL;
2774 		}
2775 
2776 		if (cd->saveblock != NULL) {
2777 			kmem_free(cd->saveblock, cd->blocklen);
2778 			cd->saveblock = NULL;
2779 		}
2780 
2781 		cd->blocklen = newblocklen;
2782 		if (cd->blocklen) {
2783 			cd->block = (char *)kmem_zalloc((size_t)cd->blocklen,
2784 				KM_SLEEP);
2785 		}
2786 
2787 		if (cd->method == CRYPT_METHOD_DES_CFB)
2788 			cd->saveblock = (char *)kmem_zalloc(cd->blocklen,
2789 						KM_SLEEP);
2790 		else
2791 			cd->saveblock = NULL;
2792 	}
2793 
2794 	if (ci->iveclen != cd->ivlen) {
2795 		if (cd->ivec != NULL) {
2796 			kmem_free(cd->ivec, cd->ivlen);
2797 			cd->ivec = NULL;
2798 		}
2799 		if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) {
2800 			cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen,
2801 						KM_SLEEP);
2802 			cd->ivlen = ci->iveclen;
2803 		} else {
2804 			cd->ivlen = 0;
2805 			cd->ivec = NULL;
2806 		}
2807 	}
2808 	cd->option_mask = ci->option_mask;
2809 
2810 	/*
2811 	 * Old protocol requires a static 'usage' value for
2812 	 * deriving keys.  Yuk.
2813 	 */
2814 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) {
2815 		enc_usage = dec_usage = RCMDV1_USAGE;
2816 	}
2817 
2818 	if (cd->ivlen > cd->blocklen) {
2819 		cmn_err(CE_WARN, "setup_crypto: IV longer than block size");
2820 		return (EINVAL);
2821 	}
2822 
2823 	/*
2824 	 * If we are using an IVEC "correctly" (i.e. set it once)
2825 	 * copy it here.
2826 	 */
2827 	if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL)
2828 		bcopy(ci->ivec, cd->block, (size_t)cd->ivlen);
2829 
2830 	cd->ivec_usage = ci->ivec_usage;
2831 	if (cd->ivec != NULL) {
2832 		/* Save the original IVEC in case we need it later */
2833 		bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen);
2834 	}
2835 	/*
2836 	 * Special handling for 3DES-SHA1-HMAC and AES crypto:
2837 	 * generate derived keys and context templates
2838 	 * for better performance.
2839 	 */
2840 	if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 ||
2841 	    IS_AES_METHOD(cd->method)) {
2842 		crypto_mechanism_t enc_mech;
2843 		crypto_mechanism_t hmac_mech;
2844 
2845 		if (cd->d_encr_key.ck_data != NULL) {
2846 			bzero(cd->d_encr_key.ck_data, cd->keylen);
2847 			kmem_free(cd->d_encr_key.ck_data, cd->keylen);
2848 		}
2849 
2850 		if (cd->d_hmac_key.ck_data != NULL) {
2851 			bzero(cd->d_hmac_key.ck_data, cd->keylen);
2852 			kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
2853 		}
2854 
2855 		if (cd->enc_tmpl != NULL)
2856 			(void) crypto_destroy_ctx_template(cd->enc_tmpl);
2857 
2858 		if (cd->hmac_tmpl != NULL)
2859 			(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
2860 
2861 		enc_mech.cm_type = cd->mech_type;
2862 		enc_mech.cm_param = cd->ivec;
2863 		enc_mech.cm_param_len = cd->ivlen;
2864 
2865 		hmac_mech.cm_type = sha1_hmac_mech;
2866 		hmac_mech.cm_param = NULL;
2867 		hmac_mech.cm_param_len = 0;
2868 
2869 		/*
2870 		 * Create the derived keys.
2871 		 */
2872 		rv = create_derived_keys(cd,
2873 			(encrypt ? enc_usage : dec_usage),
2874 			&cd->d_encr_key, &cd->d_hmac_key);
2875 
2876 		if (rv != CRYPTO_SUCCESS) {
2877 			cmn_err(CE_WARN, "failed to create derived "
2878 				"keys: %0x", rv);
2879 			return (CRYPTO_FAILED);
2880 		}
2881 
2882 		rv = crypto_create_ctx_template(&enc_mech,
2883 					&cd->d_encr_key,
2884 					&cd->enc_tmpl, KM_SLEEP);
2885 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2886 			cd->enc_tmpl = NULL;
2887 		} else if (rv != CRYPTO_SUCCESS) {
2888 			cmn_err(CE_WARN, "failed to create enc template "
2889 				"for d_encr_key: %0x", rv);
2890 			return (CRYPTO_FAILED);
2891 		}
2892 
2893 		rv = crypto_create_ctx_template(&hmac_mech,
2894 				&cd->d_hmac_key,
2895 				&cd->hmac_tmpl, KM_SLEEP);
2896 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2897 			cd->hmac_tmpl = NULL;
2898 		} else if (rv != CRYPTO_SUCCESS) {
2899 			cmn_err(CE_WARN, "failed to create hmac template:"
2900 				" %0x", rv);
2901 			return (CRYPTO_FAILED);
2902 		}
2903 	} else if (IS_RC4_METHOD(cd->method)) {
2904 		bzero(&cd->d_encr_key, sizeof (crypto_key_t));
2905 		bzero(&cd->d_hmac_key, sizeof (crypto_key_t));
2906 		cd->ctx = NULL;
2907 		cd->enc_tmpl = NULL;
2908 		cd->hmac_tmpl = NULL;
2909 	}
2910 
2911 	/* Final sanity checks, make sure no fields are NULL */
2912 	if (cd->method != CRYPT_METHOD_NONE) {
2913 		if (cd->block == NULL && cd->blocklen > 0) {
2914 #ifdef DEBUG
2915 			cmn_err(CE_WARN,
2916 				"setup_crypto: IV block not allocated");
2917 #endif
2918 			return (ENOMEM);
2919 		}
2920 		if (cd->key == NULL && cd->keylen > 0) {
2921 #ifdef DEBUG
2922 			cmn_err(CE_WARN,
2923 				"setup_crypto: key block not allocated");
2924 #endif
2925 			return (ENOMEM);
2926 		}
2927 		if (cd->method == CRYPT_METHOD_DES_CFB &&
2928 		    cd->saveblock == NULL && cd->blocklen > 0) {
2929 #ifdef DEBUG
2930 			cmn_err(CE_WARN,
2931 				"setup_crypto: save block not allocated");
2932 #endif
2933 			return (ENOMEM);
2934 		}
2935 		if (cd->ivec == NULL && cd->ivlen > 0) {
2936 #ifdef DEBUG
2937 			cmn_err(CE_WARN,
2938 				"setup_crypto: IV not allocated");
2939 #endif
2940 			return (ENOMEM);
2941 		}
2942 	}
2943 	return (0);
2944 }
2945 
2946 /*
2947  * RCMDS require a 4 byte, clear text
2948  * length field before each message.
2949  * Add it now.
2950  */
2951 static mblk_t *
2952 mklenmp(mblk_t *bp, uint32_t len)
2953 {
2954 	mblk_t *lenmp;
2955 	uchar_t *ucp;
2956 
2957 	if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) {
2958 		lenmp = allocb(4, BPRI_MED);
2959 		if (lenmp != NULL) {
2960 			lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp);
2961 			linkb(lenmp, bp);
2962 			bp = lenmp;
2963 		}
2964 	}
2965 	ucp = bp->b_rptr;
2966 	*--ucp = len;
2967 	*--ucp = len >> 8;
2968 	*--ucp = len >> 16;
2969 	*--ucp = len >> 24;
2970 
2971 	bp->b_rptr = ucp;
2972 
2973 	return (bp);
2974 }
2975 
2976 /*
2977  * encrypt_msgb
2978  *
2979  * encrypt a single message. This routine adds the
2980  * RCMD overhead bytes when necessary.
2981  */
2982 static mblk_t *
2983 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
2984 {
2985 	mblk_t *newmp;
2986 	size_t plainlen;
2987 	size_t headspace;
2988 
2989 	if (tmi->enc_data.method == CRYPT_METHOD_NONE) {
2990 		return (mp);
2991 	}
2992 
2993 	/*
2994 	 * process message
2995 	 */
2996 	newmp = NULL;
2997 	if ((plainlen = MBLKL(mp)) > 0) {
2998 		mblk_t *cbp;
2999 		size_t cipherlen;
3000 		size_t extra = 0;
3001 		uint32_t ptlen = (uint32_t)plainlen;
3002 
3003 		/*
3004 		 * If we are using the "NEW" RCMD mode,
3005 		 * add 4 bytes to the plaintext for the
3006 		 * plaintext length that gets prepended
3007 		 * before encrypting.
3008 		 */
3009 		if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
3010 			ptlen += 4;
3011 
3012 		cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen);
3013 
3014 		/*
3015 		 * if we must allocb, then make sure its enough
3016 		 * to hold the length field so we dont have to allocb
3017 		 * again down below in 'mklenmp'
3018 		 */
3019 		if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) {
3020 			extra = sizeof (uint32_t);
3021 		}
3022 
3023 		/*
3024 		 * Calculate how much space is needed in front of
3025 		 * the data.
3026 		 */
3027 		headspace = plaintext_offset(&tmi->enc_data);
3028 
3029 		/*
3030 		 * If the current block is too small, reallocate
3031 		 * one large enough to hold the hdr, tail, and
3032 		 * ciphertext.
3033 		 */
3034 		if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) {
3035 			int sz = P2ROUNDUP(cipherlen+extra, 8);
3036 
3037 			cbp = allocb_tmpl(sz, mp);
3038 			if (cbp == NULL) {
3039 				cmn_err(CE_WARN,
3040 					"allocb (%d bytes) failed", sz);
3041 					return (NULL);
3042 			}
3043 
3044 			cbp->b_cont = mp->b_cont;
3045 
3046 			/*
3047 			 * headspace includes the length fields needed
3048 			 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
3049 			 */
3050 			cbp->b_rptr = DB_BASE(cbp) + headspace;
3051 
3052 			ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen, 8)
3053 				<= DB_LIM(cbp));
3054 
3055 			bcopy(mp->b_rptr, cbp->b_rptr, plainlen);
3056 			cbp->b_wptr = cbp->b_rptr + plainlen;
3057 
3058 			freeb(mp);
3059 		} else {
3060 			size_t extra = 0;
3061 			cbp = mp;
3062 
3063 			/*
3064 			 * Some ciphers add HMAC after the final block
3065 			 * of the ciphertext, not at the beginning like the
3066 			 * 1-DES ciphers.
3067 			 */
3068 			if (tmi->enc_data.method ==
3069 				CRYPT_METHOD_DES3_CBC_SHA1 ||
3070 			    IS_AES_METHOD(tmi->enc_data.method)) {
3071 				extra = sha1_hash.hash_len;
3072 			}
3073 
3074 			/*
3075 			 * Make sure the rptr is positioned correctly so that
3076 			 * routines later do not have to shift this data around
3077 			 */
3078 			if ((cbp->b_rptr + P2ROUNDUP(plainlen + extra, 8) >
3079 				DB_LIM(cbp)) ||
3080 				(cbp->b_rptr - headspace < DB_BASE(cbp))) {
3081 				ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace,
3082 					plainlen);
3083 				cbp->b_rptr = DB_BASE(cbp) + headspace;
3084 				cbp->b_wptr = cbp->b_rptr + plainlen;
3085 			}
3086 		}
3087 
3088 		ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp));
3089 		ASSERT(cbp->b_wptr <= DB_LIM(cbp));
3090 
3091 		/*
3092 		 * If using RCMD_MODE_V2 (new rcmd mode), prepend
3093 		 * the plaintext length before the actual plaintext.
3094 		 */
3095 		if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) {
3096 			cbp->b_rptr -= RCMD_LEN_SZ;
3097 
3098 			/* put plaintext length at head of buffer */
3099 			*(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff);
3100 			*(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff);
3101 			*(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff);
3102 			*(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff);
3103 		}
3104 
3105 		newmp = do_encrypt(q, cbp);
3106 
3107 		if (newmp != NULL &&
3108 		    (tmi->enc_data.option_mask &
3109 		    (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) {
3110 			mblk_t *lp;
3111 			/*
3112 			 * Add length field, required when this is
3113 			 * used to encrypt "r*" commands(rlogin, rsh)
3114 			 * with Kerberos.
3115 			 */
3116 			lp = mklenmp(newmp, plainlen);
3117 
3118 			if (lp == NULL) {
3119 				freeb(newmp);
3120 				return (NULL);
3121 			} else {
3122 				newmp = lp;
3123 			}
3124 		}
3125 	} else {
3126 		freeb(mp);
3127 	}
3128 
3129 	return (newmp);
3130 }
3131 
3132 /*
3133  * cryptmodwsrv
3134  *
3135  * Service routine for the write queue.
3136  *
3137  * Because data may be placed in the queue to hold between
3138  * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
3139  */
3140 static int
3141 cryptmodwsrv(queue_t *q)
3142 {
3143 	mblk_t *mp;
3144 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3145 
3146 	while ((mp = getq(q)) != NULL) {
3147 		switch (mp->b_datap->db_type) {
3148 		default:
3149 			/*
3150 			 * wput does not queue anything > QPCTL
3151 			 */
3152 			if (!canputnext(q) ||
3153 			    !(tmi->ready & CRYPT_WRITE_READY)) {
3154 				if (!putbq(q, mp)) {
3155 					freemsg(mp);
3156 				}
3157 				return (0);
3158 			}
3159 			putnext(q, mp);
3160 			break;
3161 		case M_DATA:
3162 			if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) {
3163 				mblk_t *bp;
3164 				mblk_t *newmsg = NULL;
3165 
3166 				/*
3167 				 * If multiple msgs, concat into 1
3168 				 * to minimize crypto operations later.
3169 				 */
3170 				if (mp->b_cont != NULL) {
3171 					bp = msgpullup(mp, -1);
3172 					if (bp != NULL) {
3173 						freemsg(mp);
3174 						mp = bp;
3175 					}
3176 				}
3177 				newmsg = encrypt_msgb(q, tmi, mp);
3178 				if (newmsg != NULL)
3179 					putnext(q, newmsg);
3180 			} else {
3181 				if (!putbq(q, mp)) {
3182 					freemsg(mp);
3183 				}
3184 				return (0);
3185 			}
3186 			break;
3187 		}
3188 	}
3189 	return (0);
3190 }
3191 
3192 static void
3193 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir)
3194 {
3195 	mblk_t *newmp = NULL;
3196 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3197 
3198 	if (dir == CRYPT_ENCRYPT) {
3199 		tmi->ready |= CRYPT_WRITE_READY;
3200 		(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
3201 				"start_stream: restart ENCRYPT/WRITE q"));
3202 
3203 		enableok(wq);
3204 		qenable(wq);
3205 	} else if (dir == CRYPT_DECRYPT) {
3206 		/*
3207 		 * put any extra data in the RD
3208 		 * queue to be processed and
3209 		 * sent back up.
3210 		 */
3211 		newmp = mp->b_cont;
3212 		mp->b_cont = NULL;
3213 
3214 		tmi->ready |= CRYPT_READ_READY;
3215 		(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3216 				SL_TRACE|SL_NOTE,
3217 				"start_stream: restart "
3218 				"DECRYPT/READ q"));
3219 
3220 		if (newmp != NULL)
3221 			if (!putbq(RD(wq), newmp))
3222 				freemsg(newmp);
3223 
3224 		enableok(RD(wq));
3225 		qenable(RD(wq));
3226 	}
3227 
3228 	miocack(wq, mp, 0, 0);
3229 }
3230 
3231 /*
3232  * Write-side put procedure.  Its main task is to detect ioctls and
3233  * FLUSH operations.  Other message types are passed on through.
3234  */
3235 static void
3236 cryptmodwput(queue_t *wq, mblk_t *mp)
3237 {
3238 	struct iocblk *iocp;
3239 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3240 	int ret, err;
3241 
3242 	switch (mp->b_datap->db_type) {
3243 	case M_DATA:
3244 		if (wq->q_first == NULL && canputnext(wq) &&
3245 		    (tmi->ready & CRYPT_WRITE_READY) &&
3246 		    tmi->enc_data.method == CRYPT_METHOD_NONE) {
3247 			putnext(wq, mp);
3248 			return;
3249 		}
3250 		/* else, put it in the service queue */
3251 		if (!putq(wq, mp)) {
3252 			freemsg(mp);
3253 		}
3254 		break;
3255 	case M_FLUSH:
3256 		if (*mp->b_rptr & FLUSHW) {
3257 			flushq(wq, FLUSHDATA);
3258 		}
3259 		putnext(wq, mp);
3260 		break;
3261 	case M_IOCTL:
3262 		iocp = (struct iocblk *)mp->b_rptr;
3263 		switch (iocp->ioc_cmd) {
3264 		case CRYPTIOCSETUP:
3265 			ret = 0;
3266 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3267 					SL_TRACE | SL_NOTE,
3268 					"wput: got CRYPTIOCSETUP "
3269 					"ioctl(%d)", iocp->ioc_cmd));
3270 
3271 			if ((err = miocpullup(mp,
3272 					sizeof (struct cr_info_t))) != 0) {
3273 				cmn_err(CE_WARN,
3274 				"wput: miocpullup failed for cr_info_t");
3275 				miocnak(wq, mp, 0, err);
3276 			} else {
3277 				struct cr_info_t *ci;
3278 				ci = (struct cr_info_t *)mp->b_cont->b_rptr;
3279 
3280 				if (ci->direction_mask & CRYPT_ENCRYPT) {
3281 				    ret = setup_crypto(ci, &tmi->enc_data, 1);
3282 				}
3283 
3284 				if (ret == 0 &&
3285 				    (ci->direction_mask & CRYPT_DECRYPT)) {
3286 				    ret = setup_crypto(ci, &tmi->dec_data, 0);
3287 				}
3288 				if (ret == 0 &&
3289 				    (ci->direction_mask & CRYPT_DECRYPT) &&
3290 				    ANY_RCMD_MODE(tmi->dec_data.option_mask)) {
3291 					bzero(&tmi->rcmd_state,
3292 					    sizeof (tmi->rcmd_state));
3293 				}
3294 				if (ret == 0) {
3295 					miocack(wq, mp, 0, 0);
3296 				} else {
3297 					cmn_err(CE_WARN,
3298 						"wput: setup_crypto failed");
3299 					miocnak(wq, mp, 0, ret);
3300 				}
3301 				(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3302 						SL_TRACE|SL_NOTE,
3303 						"wput: done with SETUP "
3304 						"ioctl"));
3305 			}
3306 			break;
3307 		case CRYPTIOCSTOP:
3308 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3309 					SL_TRACE|SL_NOTE,
3310 					"wput: got CRYPTIOCSTOP "
3311 					"ioctl(%d)", iocp->ioc_cmd));
3312 
3313 			if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) {
3314 				cmn_err(CE_WARN,
3315 					"wput: CRYPTIOCSTOP ioctl wrong "
3316 					"size (%d should be %d)",
3317 					(int)iocp->ioc_count,
3318 					(int)sizeof (uint32_t));
3319 				miocnak(wq, mp, 0, err);
3320 			} else {
3321 				uint32_t *stopdir;
3322 
3323 				stopdir = (uint32_t *)mp->b_cont->b_rptr;
3324 				if (!CR_DIRECTION_OK(*stopdir)) {
3325 					miocnak(wq, mp, 0, EINVAL);
3326 					return;
3327 				}
3328 
3329 				/* disable the queues until further notice */
3330 				if (*stopdir & CRYPT_ENCRYPT) {
3331 					noenable(wq);
3332 					tmi->ready &= ~CRYPT_WRITE_READY;
3333 				}
3334 				if (*stopdir & CRYPT_DECRYPT) {
3335 					noenable(RD(wq));
3336 					tmi->ready &= ~CRYPT_READ_READY;
3337 				}
3338 
3339 				miocack(wq, mp, 0, 0);
3340 			}
3341 			break;
3342 		case CRYPTIOCSTARTDEC:
3343 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3344 					SL_TRACE|SL_NOTE,
3345 					"wput: got CRYPTIOCSTARTDEC "
3346 					"ioctl(%d)", iocp->ioc_cmd));
3347 
3348 			start_stream(wq, mp, CRYPT_DECRYPT);
3349 			break;
3350 		case CRYPTIOCSTARTENC:
3351 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3352 					SL_TRACE|SL_NOTE,
3353 					"wput: got CRYPTIOCSTARTENC "
3354 					"ioctl(%d)", iocp->ioc_cmd));
3355 
3356 			start_stream(wq, mp, CRYPT_ENCRYPT);
3357 			break;
3358 		default:
3359 			putnext(wq, mp);
3360 			break;
3361 		}
3362 		break;
3363 	default:
3364 		if (queclass(mp) < QPCTL) {
3365 			if (wq->q_first != NULL || !canputnext(wq)) {
3366 				if (!putq(wq, mp))
3367 					freemsg(mp);
3368 				return;
3369 			}
3370 		}
3371 		putnext(wq, mp);
3372 		break;
3373 	}
3374 }
3375 
3376 /*
3377  * decrypt_rcmd_mblks
3378  *
3379  * Because kerberized r* commands(rsh, rlogin, etc)
3380  * use a 4 byte length field to indicate the # of
3381  * PLAINTEXT bytes that are encrypted in the field
3382  * that follows, we must parse out each message and
3383  * break out the length fields prior to sending them
3384  * upstream to our Solaris r* clients/servers which do
3385  * NOT understand this format.
3386  *
3387  * Kerberized/encrypted message format:
3388  * -------------------------------
3389  * | XXXX | N bytes of ciphertext|
3390  * -------------------------------
3391  *
3392  * Where: XXXX = number of plaintext bytes that were encrypted in
3393  *               to make the ciphertext field.  This is done
3394  *               because we are using a cipher that pads out to
3395  *               an 8 byte boundary.  We only want the application
3396  *               layer to see the correct number of plain text bytes,
3397  *               not plaintext + pad.  So, after we decrypt, we
3398  *               must trim the output block down to the intended
3399  *               plaintext length and eliminate the pad bytes.
3400  *
3401  * This routine takes the entire input message, breaks it into
3402  * a new message that does not contain these length fields and
3403  * returns a message consisting of mblks filled with just ciphertext.
3404  *
3405  */
3406 static mblk_t *
3407 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp)
3408 {
3409 	mblk_t *newmp = NULL;
3410 	size_t msglen;
3411 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3412 
3413 	msglen = msgsize(mp);
3414 
3415 	/*
3416 	 * If we need the length field, get it here.
3417 	 * Test the "plaintext length" indicator.
3418 	 */
3419 	if (tmi->rcmd_state.pt_len == 0) {
3420 		uint32_t elen;
3421 		int tocopy;
3422 		mblk_t *nextp;
3423 
3424 		/*
3425 		 * Make sure we have recieved all 4 bytes of the
3426 		 * length field.
3427 		 */
3428 		while (mp != NULL) {
3429 			ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t));
3430 
3431 			tocopy = sizeof (uint32_t) -
3432 				tmi->rcmd_state.cd_len;
3433 			if (tocopy > msglen)
3434 				tocopy = msglen;
3435 
3436 			ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp));
3437 			bcopy(mp->b_rptr,
3438 				(char *)(&tmi->rcmd_state.next_len +
3439 					tmi->rcmd_state.cd_len), tocopy);
3440 
3441 			tmi->rcmd_state.cd_len += tocopy;
3442 
3443 			if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) {
3444 				tmi->rcmd_state.next_len =
3445 					ntohl(tmi->rcmd_state.next_len);
3446 				break;
3447 			}
3448 
3449 			nextp = mp->b_cont;
3450 			mp->b_cont = NULL;
3451 			freeb(mp);
3452 			mp = nextp;
3453 		}
3454 
3455 		if (mp == NULL) {
3456 			return (NULL);
3457 		}
3458 		/*
3459 		 * recalculate the msglen now that we've read the
3460 		 * length and adjusted the bufptr (b_rptr).
3461 		 */
3462 		msglen -= tocopy;
3463 		mp->b_rptr += tocopy;
3464 
3465 		tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len;
3466 
3467 		if (tmi->rcmd_state.pt_len <= 0) {
3468 			/*
3469 			 * Return an IO error to break the connection. there
3470 			 * is no way to recover from this.  Usually it means
3471 			 * the app has incorrectly requested decryption on
3472 			 * a non-encrypted stream, thus the "pt_len" field
3473 			 * is negative.
3474 			 */
3475 			mp->b_datap->db_type = M_ERROR;
3476 			mp->b_rptr = mp->b_datap->db_base;
3477 			*mp->b_rptr = EIO;
3478 			mp->b_wptr = mp->b_rptr + sizeof (char);
3479 
3480 			freemsg(mp->b_cont);
3481 			mp->b_cont = NULL;
3482 			qreply(WR(q), mp);
3483 			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3484 			return (NULL);
3485 		}
3486 
3487 		/*
3488 		 * If this is V2 mode, then the encrypted data is actually
3489 		 * 4 bytes bigger than the indicated len because the plaintext
3490 		 * length is encrypted for an additional security check, but
3491 		 * its not counted as part of the overall length we just read.
3492 		 * Strange and confusing, but true.
3493 		 */
3494 
3495 		if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
3496 			elen = tmi->rcmd_state.pt_len + 4;
3497 		else
3498 			elen = tmi->rcmd_state.pt_len;
3499 
3500 		tmi->rcmd_state.cd_len  = encrypt_size(&tmi->dec_data, elen);
3501 
3502 		/*
3503 		 * Allocate an mblk to hold the cipher text until it is
3504 		 * all ready to be processed.
3505 		 */
3506 		tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len,
3507 						BPRI_HI);
3508 		if (tmi->rcmd_state.c_msg == NULL) {
3509 #ifdef DEBUG
3510 			cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed "
3511 				"for %d bytes",
3512 				(int)tmi->rcmd_state.cd_len);
3513 #endif
3514 			/*
3515 			 * Return an IO error to break the connection.
3516 			 */
3517 			mp->b_datap->db_type = M_ERROR;
3518 			mp->b_rptr = mp->b_datap->db_base;
3519 			*mp->b_rptr = EIO;
3520 			mp->b_wptr = mp->b_rptr + sizeof (char);
3521 			freemsg(mp->b_cont);
3522 			mp->b_cont = NULL;
3523 			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3524 			qreply(WR(q), mp);
3525 			return (NULL);
3526 		}
3527 	}
3528 
3529 	/*
3530 	 * If this entire message was just the length field,
3531 	 * free and return.  The actual data will probably be next.
3532 	 */
3533 	if (msglen == 0) {
3534 		freemsg(mp);
3535 		return (NULL);
3536 	}
3537 
3538 	/*
3539 	 * Copy as much of the cipher text as possible into
3540 	 * the new msgb (c_msg).
3541 	 *
3542 	 * Logic:  if we got some bytes (msglen) and we still
3543 	 * 	"need" some bytes (len-rcvd), get them here.
3544 	 */
3545 	ASSERT(tmi->rcmd_state.c_msg != NULL);
3546 	if (msglen > 0 &&
3547 	    (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) {
3548 		mblk_t *bp, *nextp;
3549 		size_t n;
3550 
3551 		/*
3552 		 * Walk the mblks and copy just as many bytes as we need
3553 		 * for this particular block of cipher text.
3554 		 */
3555 		bp = mp;
3556 		while (bp != NULL) {
3557 			size_t needed;
3558 			size_t tocopy;
3559 			n = MBLKL(bp);
3560 
3561 			needed = tmi->rcmd_state.cd_len -
3562 				MBLKL(tmi->rcmd_state.c_msg);
3563 
3564 			tocopy = (needed >= n ? n : needed);
3565 
3566 			ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp));
3567 			ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <=
3568 				DB_LIM(tmi->rcmd_state.c_msg));
3569 
3570 			/* Copy to end of new mblk */
3571 			bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr,
3572 				tocopy);
3573 
3574 			tmi->rcmd_state.c_msg->b_wptr += tocopy;
3575 
3576 			bp->b_rptr += tocopy;
3577 
3578 			nextp = bp->b_cont;
3579 
3580 			/*
3581 			 * If we used this whole block, free it and
3582 			 * move on.
3583 			 */
3584 			if (!MBLKL(bp)) {
3585 				freeb(bp);
3586 				bp = NULL;
3587 			}
3588 
3589 			/* If we got what we needed, stop the loop */
3590 			if (MBLKL(tmi->rcmd_state.c_msg) ==
3591 			    tmi->rcmd_state.cd_len) {
3592 				/*
3593 				 * If there is more data in the message,
3594 				 * its for another block of cipher text,
3595 				 * put it back in the queue for next time.
3596 				 */
3597 				if (bp) {
3598 					if (!putbq(q, bp))
3599 						freemsg(bp);
3600 				} else if (nextp != NULL) {
3601 					/*
3602 					 * If there is more, put it back in the
3603 					 * queue for another pass thru.
3604 					 */
3605 					if (!putbq(q, nextp))
3606 						freemsg(nextp);
3607 				}
3608 				break;
3609 			}
3610 			bp = nextp;
3611 		}
3612 	}
3613 	/*
3614 	 * Finally, if we received all the cipher text data for
3615 	 * this message, decrypt it into a new msg and send it up
3616 	 * to the app.
3617 	 */
3618 	if (tmi->rcmd_state.pt_len > 0 &&
3619 	    MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) {
3620 		mblk_t *bp;
3621 		mblk_t *newbp;
3622 
3623 		/*
3624 		 * Now we can use our msg that we created when the
3625 		 * initial message boundary was detected.
3626 		 */
3627 		bp = tmi->rcmd_state.c_msg;
3628 		tmi->rcmd_state.c_msg = NULL;
3629 
3630 		newbp = do_decrypt(q, bp);
3631 		if (newbp != NULL) {
3632 			bp = newbp;
3633 			/*
3634 			 * If using RCMD_MODE_V2 ("new" mode),
3635 			 * look at the 4 byte plaintext length that
3636 			 * was just decrypted and compare with the
3637 			 * original pt_len value that was received.
3638 			 */
3639 			if (tmi->dec_data.option_mask &
3640 			    CRYPTOPT_RCMD_MODE_V2) {
3641 				uint32_t pt_len2;
3642 
3643 				pt_len2 = *(uint32_t *)bp->b_rptr;
3644 				pt_len2 = ntohl(pt_len2);
3645 				/*
3646 				 * Make sure the 2 pt len fields agree.
3647 				 */
3648 				if (pt_len2 != tmi->rcmd_state.pt_len) {
3649 					cmn_err(CE_WARN,
3650 						"Inconsistent length fields"
3651 						" received %d != %d",
3652 						(int)tmi->rcmd_state.pt_len,
3653 						(int)pt_len2);
3654 					bp->b_datap->db_type = M_ERROR;
3655 					bp->b_rptr = bp->b_datap->db_base;
3656 					*bp->b_rptr = EIO;
3657 					bp->b_wptr = bp->b_rptr + sizeof (char);
3658 					freemsg(bp->b_cont);
3659 					bp->b_cont = NULL;
3660 					tmi->rcmd_state.cd_len = 0;
3661 					qreply(WR(q), bp);
3662 					return (NULL);
3663 				}
3664 				bp->b_rptr += sizeof (uint32_t);
3665 			}
3666 
3667 			/*
3668 			 * Trim the decrypted block the length originally
3669 			 * indicated by the sender.  This is to remove any
3670 			 * padding bytes that the sender added to satisfy
3671 			 * requirements of the crypto algorithm.
3672 			 */
3673 			bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len;
3674 
3675 			newmp = bp;
3676 
3677 			/*
3678 			 * Reset our state to indicate we are ready
3679 			 * for a new message.
3680 			 */
3681 			tmi->rcmd_state.pt_len = 0;
3682 			tmi->rcmd_state.cd_len = 0;
3683 		} else {
3684 #ifdef DEBUG
3685 			cmn_err(CE_WARN,
3686 				"decrypt_rcmd: do_decrypt on %d bytes failed",
3687 				(int)tmi->rcmd_state.cd_len);
3688 #endif
3689 			/*
3690 			 * do_decrypt already handled failures, just
3691 			 * return NULL.
3692 			 */
3693 			tmi->rcmd_state.pt_len = 0;
3694 			tmi->rcmd_state.cd_len = 0;
3695 			return (NULL);
3696 		}
3697 	}
3698 
3699 	/*
3700 	 * return the new message with the 'length' fields removed
3701 	 */
3702 	return (newmp);
3703 }
3704 
3705 /*
3706  * cryptmodrsrv
3707  *
3708  * Read queue service routine
3709  * Necessary because if the ready flag is not set
3710  * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data
3711  * must remain on queue and not be passed along.
3712  */
3713 static int
3714 cryptmodrsrv(queue_t *q)
3715 {
3716 	mblk_t *mp, *bp;
3717 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3718 
3719 	while ((mp = getq(q)) != NULL) {
3720 		switch (mp->b_datap->db_type) {
3721 		case M_DATA:
3722 			if (canputnext(q) && tmi->ready & CRYPT_READ_READY) {
3723 				/*
3724 				 * Process "rcmd" messages differently because
3725 				 * they contain a 4 byte plaintext length
3726 				 * id that needs to be removed.
3727 				 */
3728 				if (tmi->dec_data.method != CRYPT_METHOD_NONE &&
3729 				    (tmi->dec_data.option_mask &
3730 				    (CRYPTOPT_RCMD_MODE_V1 |
3731 				    CRYPTOPT_RCMD_MODE_V2))) {
3732 					mp = decrypt_rcmd_mblks(q, mp);
3733 					if (mp)
3734 						putnext(q, mp);
3735 					continue;
3736 				}
3737 				if ((bp = msgpullup(mp, -1)) != NULL) {
3738 					freemsg(mp);
3739 					if (MBLKL(bp) > 0) {
3740 						mp = do_decrypt(q, bp);
3741 						if (mp != NULL)
3742 							putnext(q, mp);
3743 					}
3744 				}
3745 			} else {
3746 				if (!putbq(q, mp)) {
3747 					freemsg(mp);
3748 				}
3749 				return (0);
3750 			}
3751 			break;
3752 		default:
3753 			/*
3754 			 * rput does not queue anything > QPCTL, so we don't
3755 			 * need to check for it here.
3756 			 */
3757 			if (!canputnext(q)) {
3758 				if (!putbq(q, mp))
3759 					freemsg(mp);
3760 				return (0);
3761 			}
3762 			putnext(q, mp);
3763 			break;
3764 		}
3765 	}
3766 	return (0);
3767 }
3768 
3769 
3770 /*
3771  * Read-side put procedure.
3772  */
3773 static void
3774 cryptmodrput(queue_t *rq, mblk_t *mp)
3775 {
3776 	switch (mp->b_datap->db_type) {
3777 	case M_DATA:
3778 		if (!putq(rq, mp)) {
3779 			freemsg(mp);
3780 		}
3781 		break;
3782 	case M_FLUSH:
3783 		if (*mp->b_rptr & FLUSHR) {
3784 			flushq(rq, FLUSHALL);
3785 		}
3786 		putnext(rq, mp);
3787 		break;
3788 	default:
3789 		if (queclass(mp) < QPCTL) {
3790 			if (rq->q_first != NULL || !canputnext(rq)) {
3791 				if (!putq(rq, mp))
3792 					freemsg(mp);
3793 				return;
3794 			}
3795 		}
3796 		putnext(rq, mp);
3797 		break;
3798 	}
3799 }
3800