/* * Copyright 2010 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * Copyright (c) 2018, Joyent, Inc. * * STREAMS Crypto Module * * This module is used to facilitate Kerberos encryption * operations for the telnet daemon and rlogin daemon. * Because the Solaris telnet and rlogin daemons run mostly * in-kernel via 'telmod' and 'rlmod', this module must be * pushed on the STREAM *below* telmod or rlmod. * * Parts of the 3DES key derivation code are covered by the * following copyright. * * Copyright (C) 1998 by the FundsXpress, INC. * * All rights reserved. * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright * notice appear in all copies and that both that copyright notice and * this permission notice appear in supporting documentation, and that * the name of FundsXpress. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * Function prototypes. */ static int cryptmodopen(queue_t *, dev_t *, int, int, cred_t *); static int cryptmodrput(queue_t *, mblk_t *); static int cryptmodwput(queue_t *, mblk_t *); static int cryptmodclose(queue_t *, int, cred_t *); static int cryptmodwsrv(queue_t *); static int cryptmodrsrv(queue_t *); static mblk_t *do_encrypt(queue_t *q, mblk_t *mp); static mblk_t *do_decrypt(queue_t *q, mblk_t *mp); #define CRYPTMOD_ID 5150 #define CFB_BLKSZ 8 #define K5CLENGTH 5 static struct module_info cryptmod_minfo = { CRYPTMOD_ID, /* mi_idnum */ "cryptmod", /* mi_idname */ 0, /* mi_minpsz */ INFPSZ, /* mi_maxpsz */ 65536, /* mi_hiwat */ 1024 /* mi_lowat */ }; static struct qinit cryptmod_rinit = { cryptmodrput, /* qi_putp */ cryptmodrsrv, /* qi_svc */ cryptmodopen, /* qi_qopen */ cryptmodclose, /* qi_qclose */ NULL, /* qi_qadmin */ &cryptmod_minfo, /* qi_minfo */ NULL /* qi_mstat */ }; static struct qinit cryptmod_winit = { cryptmodwput, /* qi_putp */ cryptmodwsrv, /* qi_srvp */ NULL, /* qi_qopen */ NULL, /* qi_qclose */ NULL, /* qi_qadmin */ &cryptmod_minfo, /* qi_minfo */ NULL /* qi_mstat */ }; static struct streamtab cryptmod_info = { &cryptmod_rinit, /* st_rdinit */ &cryptmod_winit, /* st_wrinit */ NULL, /* st_muxrinit */ NULL /* st_muxwinit */ }; typedef struct { uint_t hash_len; uint_t confound_len; int (*hashfunc)(); } hash_info_t; #define MAX_CKSUM_LEN 20 #define CONFOUNDER_LEN 8 #define SHA1_HASHSIZE 20 #define MD5_HASHSIZE 16 #define CRC32_HASHSIZE 4 #define MSGBUF_SIZE 4096 #define CONFOUNDER_BYTES 128 static int crc32_calc(uchar_t *, uchar_t *, uint_t); static int md5_calc(uchar_t *, uchar_t *, uint_t); static int sha1_calc(uchar_t *, uchar_t *, uint_t); static hash_info_t null_hash = {0, 0, NULL}; static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc}; static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc}; static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc}; static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID; static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID; static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID; static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID; static int kef_crypt(struct cipher_data_t *, void *, crypto_data_format_t, size_t, int); static mblk_t * arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *, mblk_t *, hash_info_t *); static mblk_t * arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *, mblk_t *, hash_info_t *); static int do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int); /* * This is the loadable module wrapper. */ #include static struct fmodsw fsw = { "cryptmod", &cryptmod_info, D_MP | D_MTQPAIR }; /* * Module linkage information for the kernel. */ static struct modlstrmod modlstrmod = { &mod_strmodops, "STREAMS encryption module", &fsw }; static struct modlinkage modlinkage = { MODREV_1, &modlstrmod, NULL }; int _init(void) { return (mod_install(&modlinkage)); } int _fini(void) { return (mod_remove(&modlinkage)); } int _info(struct modinfo *modinfop) { return (mod_info(&modlinkage, modinfop)); } static void cleanup(struct cipher_data_t *cd) { if (cd->key != NULL) { bzero(cd->key, cd->keylen); kmem_free(cd->key, cd->keylen); cd->key = NULL; } if (cd->ckey != NULL) { /* * ckey is a crypto_key_t structure which references * "cd->key" for its raw key data. Since that was already * cleared out, we don't need another "bzero" here. */ kmem_free(cd->ckey, sizeof (crypto_key_t)); cd->ckey = NULL; } if (cd->block != NULL) { kmem_free(cd->block, cd->blocklen); cd->block = NULL; } if (cd->saveblock != NULL) { kmem_free(cd->saveblock, cd->blocklen); cd->saveblock = NULL; } if (cd->ivec != NULL) { kmem_free(cd->ivec, cd->ivlen); cd->ivec = NULL; } if (cd->d_encr_key.ck_data != NULL) { bzero(cd->d_encr_key.ck_data, cd->keylen); kmem_free(cd->d_encr_key.ck_data, cd->keylen); } if (cd->d_hmac_key.ck_data != NULL) { bzero(cd->d_hmac_key.ck_data, cd->keylen); kmem_free(cd->d_hmac_key.ck_data, cd->keylen); } if (cd->enc_tmpl != NULL) (void) crypto_destroy_ctx_template(cd->enc_tmpl); if (cd->hmac_tmpl != NULL) (void) crypto_destroy_ctx_template(cd->hmac_tmpl); if (cd->ctx != NULL) { crypto_cancel_ctx(cd->ctx); cd->ctx = NULL; } } /* ARGSUSED */ static int cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp) { struct tmodinfo *tmi; ASSERT(rq); if (sflag != MODOPEN) return (EINVAL); (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, "cryptmodopen: opening module(PID %d)", ddi_get_pid())); if (rq->q_ptr != NULL) { cmn_err(CE_WARN, "cryptmodopen: already opened"); return (0); } /* * Allocate and initialize per-Stream structure. */ tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo), KM_SLEEP); tmi->enc_data.method = CRYPT_METHOD_NONE; tmi->dec_data.method = CRYPT_METHOD_NONE; tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY); rq->q_ptr = WR(rq)->q_ptr = tmi; sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC); md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC); sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1); md5_hash_mech = crypto_mech2id(SUN_CKM_MD5); qprocson(rq); return (0); } /* ARGSUSED */ static int cryptmodclose(queue_t *rq, int flags __unused, cred_t *credp __unused) { struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr; ASSERT(tmi); qprocsoff(rq); cleanup(&tmi->enc_data); cleanup(&tmi->dec_data); kmem_free(tmi, sizeof (struct tmodinfo)); rq->q_ptr = WR(rq)->q_ptr = NULL; return (0); } /* * plaintext_offset * * Calculate exactly how much space is needed in front * of the "plaintext" in an mbuf so it can be positioned * 1 time instead of potentially moving the data multiple * times. */ static int plaintext_offset(struct cipher_data_t *cd) { int headspace = 0; /* 4 byte length prepended to all RCMD msgs */ if (ANY_RCMD_MODE(cd->option_mask)) headspace += RCMD_LEN_SZ; /* RCMD V2 mode adds an additional 4 byte plaintext length */ if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2) headspace += RCMD_LEN_SZ; /* Need extra space for hash and counfounder */ switch (cd->method) { case CRYPT_METHOD_DES_CBC_NULL: headspace += null_hash.hash_len + null_hash.confound_len; break; case CRYPT_METHOD_DES_CBC_CRC: headspace += crc32_hash.hash_len + crc32_hash.confound_len; break; case CRYPT_METHOD_DES_CBC_MD5: headspace += md5_hash.hash_len + md5_hash.confound_len; break; case CRYPT_METHOD_DES3_CBC_SHA1: headspace += sha1_hash.confound_len; break; case CRYPT_METHOD_ARCFOUR_HMAC_MD5: headspace += md5_hash.hash_len + md5_hash.confound_len; break; case CRYPT_METHOD_AES128: case CRYPT_METHOD_AES256: headspace += DEFAULT_AES_BLOCKLEN; break; case CRYPT_METHOD_DES_CFB: case CRYPT_METHOD_NONE: break; } return (headspace); } /* * encrypt_size * * Calculate the resulting size when encrypting 'plainlen' bytes * of data. */ static size_t encrypt_size(struct cipher_data_t *cd, size_t plainlen) { size_t cipherlen; switch (cd->method) { case CRYPT_METHOD_DES_CBC_NULL: cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len + plainlen, 8); break; case CRYPT_METHOD_DES_CBC_MD5: cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len + md5_hash.confound_len + plainlen, 8); break; case CRYPT_METHOD_DES_CBC_CRC: cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len + crc32_hash.confound_len + plainlen, 8); break; case CRYPT_METHOD_DES3_CBC_SHA1: cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len + plainlen, 8) + sha1_hash.hash_len; break; case CRYPT_METHOD_ARCFOUR_HMAC_MD5: cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len + plainlen, 1) + md5_hash.hash_len; break; case CRYPT_METHOD_AES128: case CRYPT_METHOD_AES256: /* No roundup for AES-CBC-CTS */ cipherlen = DEFAULT_AES_BLOCKLEN + plainlen + AES_TRUNCATED_HMAC_LEN; break; case CRYPT_METHOD_DES_CFB: case CRYPT_METHOD_NONE: cipherlen = plainlen; break; } return (cipherlen); } /* * des_cfb_encrypt * * Encrypt the mblk data using DES with cipher feedback. * * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit * vector, D[n] is the nth chunk of 64 bits of data to encrypt * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted * (decrypted) data, then: * * V[0] = DES(V[i], key) * O[n] = D[n] V[n] * V[n+1] = DES(O[n], key) * * The size of the message being encrypted does not change in this * algorithm, num_bytes in == num_bytes out. */ static mblk_t * des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) { int savedbytes; char *iptr, *optr, *lastoutput; lastoutput = optr = (char *)mp->b_rptr; iptr = (char *)mp->b_rptr; savedbytes = tmi->enc_data.bytes % CFB_BLKSZ; while (iptr < (char *)mp->b_wptr) { /* * Do DES-ECB. * The first time this runs, the 'tmi->enc_data.block' will * contain the initialization vector that should have been * passed in with the SETUP ioctl. * * V[n] = DES(V[n-1], key) */ if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { int retval = 0; retval = kef_crypt(&tmi->enc_data, tmi->enc_data.block, CRYPTO_DATA_RAW, tmi->enc_data.blocklen, CRYPT_ENCRYPT); if (retval != CRYPTO_SUCCESS) { #ifdef DEBUG cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt " "failed - error 0x%0x", retval); #endif mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } } /* O[n] = I[n] ^ V[n] */ *(optr++) = *(iptr++) ^ tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ]; tmi->enc_data.bytes++; /* * Feedback the encrypted output as the input to next DES call. */ if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { char *dbptr = tmi->enc_data.block; /* * Get the last bits of input from the previous * msg block that we haven't yet used as feedback input. */ if (savedbytes > 0) { bcopy(tmi->enc_data.saveblock, dbptr, (size_t)savedbytes); dbptr += savedbytes; } /* * Now copy the correct bytes from the current input * stream and update the 'lastoutput' ptr */ bcopy(lastoutput, dbptr, (size_t)(CFB_BLKSZ - savedbytes)); lastoutput += (CFB_BLKSZ - savedbytes); savedbytes = 0; } } /* * If there are bytes of input here that we need in the next * block to build an ivec, save them off here. */ if (lastoutput < optr) { bcopy(lastoutput, tmi->enc_data.saveblock + savedbytes, (uint_t)(optr - lastoutput)); } return (mp); } /* * des_cfb_decrypt * * Decrypt the data in the mblk using DES in Cipher Feedback mode * * # bytes in == # bytes out, no padding, confounding, or hashing * is added. * */ static mblk_t * des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) { uint_t len; uint_t savedbytes; char *iptr; char *lastinput; uint_t cp; len = MBLKL(mp); /* decrypted output goes into the new data buffer */ lastinput = iptr = (char *)mp->b_rptr; savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen; /* * Save the input CFB_BLKSZ bytes at a time. * We are trying to decrypt in-place, but need to keep * a small sliding window of encrypted text to be * used to construct the feedback buffer. */ cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len : tmi->dec_data.blocklen - savedbytes); bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp); savedbytes += cp; lastinput += cp; while (iptr < (char *)mp->b_wptr) { /* * Do DES-ECB. * The first time this runs, the 'tmi->dec_data.block' will * contain the initialization vector that should have been * passed in with the SETUP ioctl. */ if (!(tmi->dec_data.bytes % CFB_BLKSZ)) { int retval; retval = kef_crypt(&tmi->dec_data, tmi->dec_data.block, CRYPTO_DATA_RAW, tmi->dec_data.blocklen, CRYPT_ENCRYPT); if (retval != CRYPTO_SUCCESS) { #ifdef DEBUG cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt " "failed - status 0x%0x", retval); #endif mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } } /* * To decrypt, XOR the input with the output from the DES call */ *(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes % CFB_BLKSZ]; tmi->dec_data.bytes++; /* * Feedback the encrypted input for next DES call. */ if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) { char *dbptr = tmi->dec_data.block; /* * Get the last bits of input from the previous block * that we haven't yet processed. */ if (savedbytes > 0) { bcopy(tmi->dec_data.saveblock, dbptr, savedbytes); dbptr += savedbytes; } savedbytes = 0; /* * This block makes sure that our local * buffer of input data is full and can * be accessed from the beginning. */ if (lastinput < (char *)mp->b_wptr) { /* How many bytes are left in the mblk? */ cp = (((char *)mp->b_wptr - lastinput) > tmi->dec_data.blocklen ? tmi->dec_data.blocklen : (char *)mp->b_wptr - lastinput); /* copy what we need */ bcopy(lastinput, tmi->dec_data.saveblock, cp); lastinput += cp; savedbytes = cp; } } } return (mp); } /* * crc32_calc * * Compute a CRC32 checksum on the input */ static int crc32_calc(uchar_t *buf, uchar_t *input, uint_t len) { uint32_t crc; CRC32(crc, input, len, 0, crc32_table); buf[0] = (uchar_t)(crc & 0xff); buf[1] = (uchar_t)((crc >> 8) & 0xff); buf[2] = (uchar_t)((crc >> 16) & 0xff); buf[3] = (uchar_t)((crc >> 24) & 0xff); return (CRYPTO_SUCCESS); } static int kef_digest(crypto_mech_type_t digest_type, uchar_t *input, uint_t inlen, uchar_t *output, uint_t hashlen) { iovec_t v1, v2; crypto_data_t d1, d2; crypto_mechanism_t mech; int rv; mech.cm_type = digest_type; mech.cm_param = 0; mech.cm_param_len = 0; v1.iov_base = (void *)input; v1.iov_len = inlen; d1.cd_format = CRYPTO_DATA_RAW; d1.cd_offset = 0; d1.cd_length = v1.iov_len; d1.cd_raw = v1; v2.iov_base = (void *)output; v2.iov_len = hashlen; d2.cd_format = CRYPTO_DATA_RAW; d2.cd_offset = 0; d2.cd_length = v2.iov_len; d2.cd_raw = v2; rv = crypto_digest(&mech, &d1, &d2, NULL); return (rv); } /* * sha1_calc * * Get a SHA1 hash on the input data. */ static int sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen) { int rv; rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE); return (rv); } /* * Get an MD5 hash on the input data. * md5_calc * */ static int md5_calc(uchar_t *output, uchar_t *input, uint_t inlen) { int rv; rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE); return (rv); } /* * nfold * duplicate the functionality of the krb5_nfold function from * the userland kerberos mech. * This is needed to derive keys for use with 3DES/SHA1-HMAC * ciphers. */ static void nfold(int inbits, uchar_t *in, int outbits, uchar_t *out) { int a, b, c, lcm; int byte, i, msbit; inbits >>= 3; outbits >>= 3; /* first compute lcm(n,k) */ a = outbits; b = inbits; while (b != 0) { c = b; b = a%b; a = c; } lcm = outbits*inbits/a; /* now do the real work */ bzero(out, outbits); byte = 0; /* * Compute the msbit in k which gets added into this byte * first, start with the msbit in the first, unrotated byte * then, for each byte, shift to the right for each repetition * last, pick out the correct byte within that shifted repetition */ for (i = lcm-1; i >= 0; i--) { msbit = (((inbits<<3)-1) +(((inbits<<3)+13)*(i/inbits)) +((inbits-(i%inbits))<<3)) %(inbits<<3); /* pull out the byte value itself */ byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)| (in[((inbits)-(msbit>>3))%inbits])) >>((msbit&7)+1))&0xff; /* do the addition */ byte += out[i%outbits]; out[i%outbits] = byte&0xff; byte >>= 8; } /* if there's a carry bit left over, add it back in */ if (byte) { for (i = outbits-1; i >= 0; i--) { /* do the addition */ byte += out[i]; out[i] = byte&0xff; /* keep around the carry bit, if any */ byte >>= 8; } } } #define smask(step) ((1<>step)&smask(step))) #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1) /* * Duplicate the functionality of the "dk_derive_key" function * in the Kerberos mechanism. */ static int derive_key(struct cipher_data_t *cdata, uchar_t *constdata, int constlen, char *dkey, int keybytes, int blocklen) { int rv = 0; int n = 0, i; char *inblock; char *rawkey; char *zeroblock; char *saveblock; inblock = kmem_zalloc(blocklen, KM_SLEEP); rawkey = kmem_zalloc(keybytes, KM_SLEEP); zeroblock = kmem_zalloc(blocklen, KM_SLEEP); if (constlen == blocklen) bcopy(constdata, inblock, blocklen); else nfold(constlen * 8, constdata, blocklen * 8, (uchar_t *)inblock); /* * zeroblock is an IV of all 0's. * * The "block" section of the cdata record is used as the * IV for crypto operations in the kef_crypt function. * * We use 'block' as a generic IV data buffer because it * is attached to the stream state data and thus can * be used to hold information that must carry over * from processing of one mblk to another. * * Here, we save the current IV and replace it with * and empty IV (all 0's) for use when deriving the * keys. Once the key derivation is done, we swap the * old IV back into place. */ saveblock = cdata->block; cdata->block = zeroblock; while (n < keybytes) { rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW, blocklen, CRYPT_ENCRYPT); if (rv != CRYPTO_SUCCESS) { /* put the original IV block back in place */ cdata->block = saveblock; cmn_err(CE_WARN, "failed to derive a key: %0x", rv); goto cleanup; } if (keybytes - n < blocklen) { bcopy(inblock, rawkey+n, (keybytes-n)); break; } bcopy(inblock, rawkey+n, blocklen); n += blocklen; } /* put the original IV block back in place */ cdata->block = saveblock; /* finally, make the key */ if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) { /* * 3DES key derivation requires that we make sure the * key has the proper parity. */ for (i = 0; i < 3; i++) { bcopy(rawkey+(i*7), dkey+(i*8), 7); /* 'dkey' is our derived key output buffer */ dkey[i*8+7] = (((dkey[i*8]&1)<<1) | ((dkey[i*8+1]&1)<<2) | ((dkey[i*8+2]&1)<<3) | ((dkey[i*8+3]&1)<<4) | ((dkey[i*8+4]&1)<<5) | ((dkey[i*8+5]&1)<<6) | ((dkey[i*8+6]&1)<<7)); for (n = 0; n < 8; n++) { dkey[i*8 + n] &= 0xfe; dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]); } } } else if (IS_AES_METHOD(cdata->method)) { bcopy(rawkey, dkey, keybytes); } cleanup: kmem_free(inblock, blocklen); kmem_free(zeroblock, blocklen); kmem_free(rawkey, keybytes); return (rv); } /* * create_derived_keys * * Algorithm for deriving a new key and an HMAC key * before computing the 3DES-SHA1-HMAC operation on the plaintext * This algorithm matches the work done by Kerberos mechanism * in userland. */ static int create_derived_keys(struct cipher_data_t *cdata, uint32_t usage, crypto_key_t *enckey, crypto_key_t *hmackey) { uchar_t constdata[K5CLENGTH]; int keybytes; int rv; constdata[0] = (usage>>24)&0xff; constdata[1] = (usage>>16)&0xff; constdata[2] = (usage>>8)&0xff; constdata[3] = usage & 0xff; /* Use "0xAA" for deriving encryption key */ constdata[4] = 0xAA; /* from MIT Kerberos code */ enckey->ck_length = cdata->keylen * 8; enckey->ck_format = CRYPTO_KEY_RAW; enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); switch (cdata->method) { case CRYPT_METHOD_DES_CFB: case CRYPT_METHOD_DES_CBC_NULL: case CRYPT_METHOD_DES_CBC_MD5: case CRYPT_METHOD_DES_CBC_CRC: keybytes = 8; break; case CRYPT_METHOD_DES3_CBC_SHA1: keybytes = CRYPT_DES3_KEYBYTES; break; case CRYPT_METHOD_ARCFOUR_HMAC_MD5: case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: keybytes = CRYPT_ARCFOUR_KEYBYTES; break; case CRYPT_METHOD_AES128: keybytes = CRYPT_AES128_KEYBYTES; break; case CRYPT_METHOD_AES256: keybytes = CRYPT_AES256_KEYBYTES; break; } /* derive main crypto key */ rv = derive_key(cdata, constdata, sizeof (constdata), enckey->ck_data, keybytes, cdata->blocklen); if (rv == CRYPTO_SUCCESS) { /* Use "0x55" for deriving mac key */ constdata[4] = 0x55; hmackey->ck_length = cdata->keylen * 8; hmackey->ck_format = CRYPTO_KEY_RAW; hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); rv = derive_key(cdata, constdata, sizeof (constdata), hmackey->ck_data, keybytes, cdata->blocklen); } else { cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv); } return (rv); } /* * Compute 3-DES crypto and HMAC. */ static int kef_decr_hmac(struct cipher_data_t *cdata, mblk_t *mp, int length, char *hmac, int hmaclen) { int rv = CRYPTO_FAILED; crypto_mechanism_t encr_mech; crypto_mechanism_t mac_mech; crypto_data_t dd; crypto_data_t mac; iovec_t v1; ASSERT(cdata != NULL); ASSERT(mp != NULL); ASSERT(hmac != NULL); bzero(&dd, sizeof (dd)); dd.cd_format = CRYPTO_DATA_MBLK; dd.cd_offset = 0; dd.cd_length = length; dd.cd_mp = mp; v1.iov_base = hmac; v1.iov_len = hmaclen; mac.cd_format = CRYPTO_DATA_RAW; mac.cd_offset = 0; mac.cd_length = hmaclen; mac.cd_raw = v1; /* * cdata->block holds the IVEC */ encr_mech.cm_type = cdata->mech_type; encr_mech.cm_param = cdata->block; if (cdata->block != NULL) encr_mech.cm_param_len = cdata->blocklen; else encr_mech.cm_param_len = 0; rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key, cdata->enc_tmpl, NULL, NULL); if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv); return (rv); } mac_mech.cm_type = sha1_hmac_mech; mac_mech.cm_param = NULL; mac_mech.cm_param_len = 0; /* * Compute MAC of the plaintext decrypted above. */ rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, cdata->hmac_tmpl, &mac, NULL); if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); } return (rv); } /* * Compute 3-DES crypto and HMAC. */ static int kef_encr_hmac(struct cipher_data_t *cdata, mblk_t *mp, int length, char *hmac, int hmaclen) { int rv = CRYPTO_FAILED; crypto_mechanism_t encr_mech; crypto_mechanism_t mac_mech; crypto_data_t dd; crypto_data_t mac; iovec_t v1; ASSERT(cdata != NULL); ASSERT(mp != NULL); ASSERT(hmac != NULL); bzero(&dd, sizeof (dd)); dd.cd_format = CRYPTO_DATA_MBLK; dd.cd_offset = 0; dd.cd_length = length; dd.cd_mp = mp; v1.iov_base = hmac; v1.iov_len = hmaclen; mac.cd_format = CRYPTO_DATA_RAW; mac.cd_offset = 0; mac.cd_length = hmaclen; mac.cd_raw = v1; /* * cdata->block holds the IVEC */ encr_mech.cm_type = cdata->mech_type; encr_mech.cm_param = cdata->block; if (cdata->block != NULL) encr_mech.cm_param_len = cdata->blocklen; else encr_mech.cm_param_len = 0; mac_mech.cm_type = sha1_hmac_mech; mac_mech.cm_param = NULL; mac_mech.cm_param_len = 0; rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, cdata->hmac_tmpl, &mac, NULL); if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); return (rv); } rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key, cdata->enc_tmpl, NULL, NULL); if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv); } return (rv); } /* * kef_crypt * * Use the Kernel encryption framework to provide the * crypto operations for the indicated data. */ static int kef_crypt(struct cipher_data_t *cdata, void *indata, crypto_data_format_t fmt, size_t length, int mode) { int rv = CRYPTO_FAILED; crypto_mechanism_t mech; crypto_key_t crkey; iovec_t v1; crypto_data_t d1; ASSERT(cdata != NULL); ASSERT(indata != NULL); ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK); bzero(&crkey, sizeof (crkey)); bzero(&d1, sizeof (d1)); crkey.ck_format = CRYPTO_KEY_RAW; crkey.ck_data = cdata->key; /* keys are measured in bits, not bytes, so multiply by 8 */ crkey.ck_length = cdata->keylen * 8; if (fmt == CRYPTO_DATA_RAW) { v1.iov_base = (char *)indata; v1.iov_len = length; } d1.cd_format = fmt; d1.cd_offset = 0; d1.cd_length = length; if (fmt == CRYPTO_DATA_RAW) d1.cd_raw = v1; else if (fmt == CRYPTO_DATA_MBLK) d1.cd_mp = (mblk_t *)indata; mech.cm_type = cdata->mech_type; mech.cm_param = cdata->block; /* * cdata->block holds the IVEC */ if (cdata->block != NULL) mech.cm_param_len = cdata->blocklen; else mech.cm_param_len = 0; /* * encrypt and decrypt in-place */ if (mode == CRYPT_ENCRYPT) rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL); else rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL); if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "%s returned error %08x", (mode == CRYPT_ENCRYPT ? "crypto_encrypt" : "crypto_decrypt"), rv); return (CRYPTO_FAILED); } return (rv); } static int do_hmac(crypto_mech_type_t mech, crypto_key_t *key, char *data, int datalen, char *hmac, int hmaclen) { int rv = 0; crypto_mechanism_t mac_mech; crypto_data_t dd; crypto_data_t mac; iovec_t vdata, vmac; mac_mech.cm_type = mech; mac_mech.cm_param = NULL; mac_mech.cm_param_len = 0; vdata.iov_base = data; vdata.iov_len = datalen; bzero(&dd, sizeof (dd)); dd.cd_format = CRYPTO_DATA_RAW; dd.cd_offset = 0; dd.cd_length = datalen; dd.cd_raw = vdata; vmac.iov_base = hmac; vmac.iov_len = hmaclen; mac.cd_format = CRYPTO_DATA_RAW; mac.cd_offset = 0; mac.cd_length = hmaclen; mac.cd_raw = vmac; /* * Compute MAC of the plaintext decrypted above. */ rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL); if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); } return (rv); } #define XOR_BLOCK(src, dst) \ (dst)[0] ^= (src)[0]; \ (dst)[1] ^= (src)[1]; \ (dst)[2] ^= (src)[2]; \ (dst)[3] ^= (src)[3]; \ (dst)[4] ^= (src)[4]; \ (dst)[5] ^= (src)[5]; \ (dst)[6] ^= (src)[6]; \ (dst)[7] ^= (src)[7]; \ (dst)[8] ^= (src)[8]; \ (dst)[9] ^= (src)[9]; \ (dst)[10] ^= (src)[10]; \ (dst)[11] ^= (src)[11]; \ (dst)[12] ^= (src)[12]; \ (dst)[13] ^= (src)[13]; \ (dst)[14] ^= (src)[14]; \ (dst)[15] ^= (src)[15] #define xorblock(x, y) XOR_BLOCK(y, x) static int aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length) { int result = CRYPTO_SUCCESS; unsigned char tmp[DEFAULT_AES_BLOCKLEN]; unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; int nblocks = 0, blockno; crypto_data_t ct, pt; crypto_mechanism_t mech; mech.cm_type = tmi->enc_data.mech_type; if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) { bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); } else { bzero(tmp, sizeof (tmp)); } mech.cm_param = NULL; mech.cm_param_len = 0; nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; bzero(&ct, sizeof (crypto_data_t)); bzero(&pt, sizeof (crypto_data_t)); if (nblocks == 1) { pt.cd_format = CRYPTO_DATA_RAW; pt.cd_length = length; pt.cd_raw.iov_base = (char *)plain; pt.cd_raw.iov_len = length; result = crypto_encrypt(&mech, &pt, &tmi->enc_data.d_encr_key, NULL, NULL, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " "crypto_encrypt failed: %0x", result); } } else { size_t nleft; ct.cd_format = CRYPTO_DATA_RAW; ct.cd_offset = 0; ct.cd_length = DEFAULT_AES_BLOCKLEN; pt.cd_format = CRYPTO_DATA_RAW; pt.cd_offset = 0; pt.cd_length = DEFAULT_AES_BLOCKLEN; result = crypto_encrypt_init(&mech, &tmi->enc_data.d_encr_key, tmi->enc_data.enc_tmpl, &tmi->enc_data.ctx, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " "crypto_encrypt_init failed: %0x", result); goto cleanup; } for (blockno = 0; blockno < nblocks - 2; blockno++) { xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN); pt.cd_raw.iov_base = (char *)tmp; pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; ct.cd_raw.iov_base = (char *)plain + blockno * DEFAULT_AES_BLOCKLEN; ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; result = crypto_encrypt_update(tmi->enc_data.ctx, &pt, &ct, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " "crypto_encrypt_update failed: %0x", result); goto cleanup; } /* copy result over original bytes */ /* make another copy for the next XOR step */ bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN, tmp, DEFAULT_AES_BLOCKLEN); } /* XOR cipher text from n-3 with plain text from n-2 */ xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN); pt.cd_raw.iov_base = (char *)tmp; pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; ct.cd_raw.iov_base = (char *)tmp2; ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; /* encrypt XOR-ed block N-2 */ result = crypto_encrypt_update(tmi->enc_data.ctx, &pt, &ct, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " "crypto_encrypt_update(2) failed: %0x", result); goto cleanup; } nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN; bzero(tmp3, sizeof (tmp3)); /* Save final plaintext bytes from n-1 */ bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, nleft); /* Overwrite n-1 with cipher text from n-2 */ bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, nleft); bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN); /* XOR cipher text from n-1 with plain text from n-1 */ xorblock(tmp, tmp3); pt.cd_raw.iov_base = (char *)tmp; pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; ct.cd_raw.iov_base = (char *)tmp2; ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; /* encrypt block N-2 */ result = crypto_encrypt_update(tmi->enc_data.ctx, &pt, &ct, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " "crypto_encrypt_update(3) failed: %0x", result); goto cleanup; } bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, DEFAULT_AES_BLOCKLEN); ct.cd_raw.iov_base = (char *)tmp2; ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; /* * Ignore the output on the final step. */ result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " "crypto_encrypt_final(3) failed: %0x", result); } tmi->enc_data.ctx = NULL; } cleanup: bzero(tmp, sizeof (tmp)); bzero(tmp2, sizeof (tmp)); bzero(tmp3, sizeof (tmp)); bzero(tmi->enc_data.block, tmi->enc_data.blocklen); return (result); } static int aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length) { int result = CRYPTO_SUCCESS; unsigned char tmp[DEFAULT_AES_BLOCKLEN]; unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; int nblocks = 0, blockno; crypto_data_t ct, pt; crypto_mechanism_t mech; mech.cm_type = tmi->enc_data.mech_type; if (tmi->dec_data.ivec_usage != IVEC_NEVER && tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) { bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); } else { bzero(tmp, sizeof (tmp)); } mech.cm_param_len = 0; mech.cm_param = NULL; nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; bzero(&pt, sizeof (pt)); bzero(&ct, sizeof (ct)); if (nblocks == 1) { ct.cd_format = CRYPTO_DATA_RAW; ct.cd_length = length; ct.cd_raw.iov_base = (char *)buff; ct.cd_raw.iov_len = length; result = crypto_decrypt(&mech, &ct, &tmi->dec_data.d_encr_key, NULL, NULL, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " "crypto_decrypt failed: %0x", result); goto cleanup; } } else { ct.cd_format = CRYPTO_DATA_RAW; ct.cd_offset = 0; ct.cd_length = DEFAULT_AES_BLOCKLEN; pt.cd_format = CRYPTO_DATA_RAW; pt.cd_offset = 0; pt.cd_length = DEFAULT_AES_BLOCKLEN; result = crypto_decrypt_init(&mech, &tmi->dec_data.d_encr_key, tmi->dec_data.enc_tmpl, &tmi->dec_data.ctx, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " "crypto_decrypt_init failed: %0x", result); goto cleanup; } for (blockno = 0; blockno < nblocks - 2; blockno++) { ct.cd_raw.iov_base = (char *)buff + (blockno * DEFAULT_AES_BLOCKLEN); ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; pt.cd_raw.iov_base = (char *)tmp2; pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; /* * Save the input to the decrypt so it can * be used later for an XOR operation */ bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN), tmi->dec_data.block, DEFAULT_AES_BLOCKLEN); result = crypto_decrypt_update(tmi->dec_data.ctx, &ct, &pt, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " "crypto_decrypt_update(1) error - " "result = 0x%08x", result); goto cleanup; } xorblock(tmp2, tmp); bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN, DEFAULT_AES_BLOCKLEN); /* * The original cipher text is used as the xor * for the next block, save it here. */ bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN); } ct.cd_raw.iov_base = (char *)buff + ((nblocks - 2) * DEFAULT_AES_BLOCKLEN); ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; pt.cd_raw.iov_base = (char *)tmp2; pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; result = crypto_decrypt_update(tmi->dec_data.ctx, &ct, &pt, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " "crypto_decrypt_update(2) error -" " result = 0x%08x", result); goto cleanup; } bzero(tmp3, sizeof (tmp3)); bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); xorblock(tmp2, tmp3); bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); /* 2nd to last block ... */ bcopy(tmp3, tmp2, length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); ct.cd_raw.iov_base = (char *)tmp2; ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; pt.cd_raw.iov_base = (char *)tmp3; pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; result = crypto_decrypt_update(tmi->dec_data.ctx, &ct, &pt, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " "crypto_decrypt_update(3) error - " "result = 0x%08x", result); goto cleanup; } xorblock(tmp3, tmp); /* Finally, update the 2nd to last block and we are done. */ bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, DEFAULT_AES_BLOCKLEN); /* Do Final step, but ignore output */ pt.cd_raw.iov_base = (char *)tmp2; pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " "crypto_decrypt_final error - " "result = 0x%0x", result); } tmi->dec_data.ctx = NULL; } cleanup: bzero(tmp, sizeof (tmp)); bzero(tmp2, sizeof (tmp)); bzero(tmp3, sizeof (tmp)); bzero(tmi->dec_data.block, tmi->dec_data.blocklen); return (result); } /* * AES decrypt * * format of ciphertext when using AES * +-------------+------------+------------+ * | confounder | msg-data | hmac | * +-------------+------------+------------+ */ static mblk_t * aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) { int result; size_t enclen; size_t inlen; uchar_t hmacbuff[64]; uchar_t tmpiv[DEFAULT_AES_BLOCKLEN]; inlen = (size_t)MBLKL(mp); enclen = inlen - AES_TRUNCATED_HMAC_LEN; if (tmi->dec_data.ivec_usage != IVEC_NEVER && tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) { int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2), tmpiv, DEFAULT_AES_BLOCKLEN); } /* AES Decrypt */ result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_decrypt: aes_cbc_cts_decrypt " "failed - error %0x", result); goto cleanup; } /* Verify the HMAC */ result = do_hmac(sha1_hmac_mech, &tmi->dec_data.d_hmac_key, (char *)mp->b_rptr, enclen, (char *)hmacbuff, hash->hash_len); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_decrypt: do_hmac failed - error %0x", result); goto cleanup; } if (bcmp(hmacbuff, mp->b_rptr + enclen, AES_TRUNCATED_HMAC_LEN) != 0) { result = -1; cmn_err(CE_WARN, "aes_decrypt: checksum verification failed"); goto cleanup; } /* truncate the mblk at the end of the decrypted text */ mp->b_wptr = mp->b_rptr + enclen; /* Adjust the beginning of the buffer to skip the confounder */ mp->b_rptr += DEFAULT_AES_BLOCKLEN; if (tmi->dec_data.ivec_usage != IVEC_NEVER && tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN); cleanup: if (result != CRYPTO_SUCCESS) { mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } return (mp); } /* * AES encrypt * * format of ciphertext when using AES * +-------------+------------+------------+ * | confounder | msg-data | hmac | * +-------------+------------+------------+ */ static mblk_t * aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) { int result; size_t cipherlen; size_t inlen; uchar_t hmacbuff[64]; inlen = (size_t)MBLKL(mp); cipherlen = encrypt_size(&tmi->enc_data, inlen); ASSERT(MBLKSIZE(mp) >= cipherlen); /* * Shift the rptr back enough to insert the confounder. */ mp->b_rptr -= DEFAULT_AES_BLOCKLEN; /* Get random data for confounder */ (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, DEFAULT_AES_BLOCKLEN); /* * Because we encrypt in-place, we need to calculate * the HMAC of the plaintext now, then stick it on * the end of the ciphertext down below. */ result = do_hmac(sha1_hmac_mech, &tmi->enc_data.d_hmac_key, (char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen, (char *)hmacbuff, hash->hash_len); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_encrypt: do_hmac failed - error %0x", result); goto cleanup; } /* Encrypt using AES-CBC-CTS */ result = aes_cbc_cts_encrypt(tmi, mp->b_rptr, inlen + DEFAULT_AES_BLOCKLEN); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "aes_encrypt: aes_cbc_cts_encrypt " "failed - error %0x", result); goto cleanup; } /* copy the truncated HMAC to the end of the mblk */ bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen, AES_TRUNCATED_HMAC_LEN); mp->b_wptr = mp->b_rptr + cipherlen; /* * The final block of cipher text (not the HMAC) is used * as the next IV. */ if (tmi->enc_data.ivec_usage != IVEC_NEVER && tmi->enc_data.ivec != NULL) { int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN); } cleanup: if (result != CRYPTO_SUCCESS) { mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } return (mp); } /* * ARCFOUR-HMAC-MD5 decrypt * * format of ciphertext when using ARCFOUR-HMAC-MD5 * +-----------+------------+------------+ * | hmac | confounder | msg-data | * +-----------+------------+------------+ * */ static mblk_t * arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) { int result; size_t cipherlen; size_t inlen; size_t saltlen; crypto_key_t k1, k2; crypto_data_t indata; iovec_t v1; uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab }; uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; uchar_t cksum[MD5_HASHSIZE]; uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; crypto_mechanism_t mech; int usage; bzero(&indata, sizeof (indata)); /* The usage constant is 1026 for all "old" rcmd mode operations */ if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1) usage = RCMDV1_USAGE; else usage = ARCFOUR_DECRYPT_USAGE; /* * The size at this point should be the size of * all the plaintext plus the optional plaintext length * needed for RCMD V2 mode. There should also be room * at the head of the mblk for the confounder and hash info. */ inlen = (size_t)MBLKL(mp); /* * The cipherlen does not include the HMAC at the * head of the buffer. */ cipherlen = inlen - hash->hash_len; ASSERT(MBLKSIZE(mp) >= cipherlen); if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); saltdata[9] = 0; saltdata[10] = usage & 0xff; saltdata[11] = (usage >> 8) & 0xff; saltdata[12] = (usage >> 16) & 0xff; saltdata[13] = (usage >> 24) & 0xff; saltlen = 14; } else { saltdata[0] = usage & 0xff; saltdata[1] = (usage >> 8) & 0xff; saltdata[2] = (usage >> 16) & 0xff; saltdata[3] = (usage >> 24) & 0xff; saltlen = 4; } /* * Use the salt value to create a key to be used * for subsequent HMAC operations. */ result = do_hmac(md5_hmac_mech, tmi->dec_data.ckey, (char *)saltdata, saltlen, (char *)k1data, sizeof (k1data)); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "arcfour_hmac_md5_decrypt: do_hmac(k1)" "failed - error %0x", result); goto cleanup; } bcopy(k1data, k2data, sizeof (k1data)); /* * For the neutered MS RC4 encryption type, * set the trailing 9 bytes to 0xab per the * RC4-HMAC spec. */ if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); } mech.cm_type = tmi->dec_data.mech_type; mech.cm_param = NULL; mech.cm_param_len = 0; /* * If we have not yet initialized the decryption key, * context, and template, do it now. */ if (tmi->dec_data.ctx == NULL || (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { k1.ck_format = CRYPTO_KEY_RAW; k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8; k1.ck_data = k1data; tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW; tmi->dec_data.d_encr_key.ck_length = k1.ck_length; if (tmi->dec_data.d_encr_key.ck_data == NULL) tmi->dec_data.d_encr_key.ck_data = kmem_zalloc( CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); /* * HMAC operation creates the encryption * key to be used for the decrypt operations. */ result = do_hmac(md5_hmac_mech, &k1, (char *)mp->b_rptr, hash->hash_len, (char *)tmi->dec_data.d_encr_key.ck_data, CRYPT_ARCFOUR_KEYBYTES); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "arcfour_hmac_md5_decrypt: do_hmac(k3)" "failed - error %0x", result); goto cleanup; } } tmi->dec_data.enc_tmpl = NULL; if (tmi->dec_data.ctx == NULL && (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { /* * Only create a template if we are doing * chaining from block to block. */ result = crypto_create_ctx_template(&mech, &tmi->dec_data.d_encr_key, &tmi->dec_data.enc_tmpl, KM_SLEEP); if (result == CRYPTO_NOT_SUPPORTED) { tmi->dec_data.enc_tmpl = NULL; } else if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "arcfour_hmac_md5_decrypt: " "failed to create dec template " "for RC4 encrypt: %0x", result); goto cleanup; } result = crypto_decrypt_init(&mech, &tmi->dec_data.d_encr_key, tmi->dec_data.enc_tmpl, &tmi->dec_data.ctx, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_decrypt_init failed:" " %0x", result); goto cleanup; } } /* adjust the rptr so we don't decrypt the original hmac field */ v1.iov_base = (char *)mp->b_rptr + hash->hash_len; v1.iov_len = cipherlen; indata.cd_format = CRYPTO_DATA_RAW; indata.cd_offset = 0; indata.cd_length = cipherlen; indata.cd_raw = v1; if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) result = crypto_decrypt_update(tmi->dec_data.ctx, &indata, NULL, NULL); else result = crypto_decrypt(&mech, &indata, &tmi->dec_data.d_encr_key, NULL, NULL, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_decrypt_update failed:" " %0x", result); goto cleanup; } k2.ck_format = CRYPTO_KEY_RAW; k2.ck_length = sizeof (k2data) * 8; k2.ck_data = k2data; result = do_hmac(md5_hmac_mech, &k2, (char *)mp->b_rptr + hash->hash_len, cipherlen, (char *)cksum, hash->hash_len); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "arcfour_hmac_md5_decrypt: do_hmac(k2)" "failed - error %0x", result); goto cleanup; } if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) { cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed"); result = -1; goto cleanup; } /* * adjust the start of the mblk to skip over the * hash and confounder. */ mp->b_rptr += hash->hash_len + hash->confound_len; cleanup: bzero(k1data, sizeof (k1data)); bzero(k2data, sizeof (k2data)); bzero(cksum, sizeof (cksum)); bzero(saltdata, sizeof (saltdata)); if (result != CRYPTO_SUCCESS) { mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } return (mp); } /* * ARCFOUR-HMAC-MD5 encrypt * * format of ciphertext when using ARCFOUR-HMAC-MD5 * +-----------+------------+------------+ * | hmac | confounder | msg-data | * +-----------+------------+------------+ * */ static mblk_t * arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) { int result; size_t cipherlen; size_t inlen; size_t saltlen; crypto_key_t k1, k2; crypto_data_t indata; iovec_t v1; uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab }; uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; crypto_mechanism_t mech; int usage; bzero(&indata, sizeof (indata)); /* The usage constant is 1026 for all "old" rcmd mode operations */ if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1) usage = RCMDV1_USAGE; else usage = ARCFOUR_ENCRYPT_USAGE; mech.cm_type = tmi->enc_data.mech_type; mech.cm_param = NULL; mech.cm_param_len = 0; /* * The size at this point should be the size of * all the plaintext plus the optional plaintext length * needed for RCMD V2 mode. There should also be room * at the head of the mblk for the confounder and hash info. */ inlen = (size_t)MBLKL(mp); cipherlen = encrypt_size(&tmi->enc_data, inlen); ASSERT(MBLKSIZE(mp) >= cipherlen); /* * Shift the rptr back enough to insert * the confounder and hash. */ mp->b_rptr -= (hash->confound_len + hash->hash_len); /* zero out the hash area */ bzero(mp->b_rptr, (size_t)hash->hash_len); if (cipherlen > inlen) { bzero(mp->b_wptr, MBLKTAIL(mp)); } if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); saltdata[9] = 0; saltdata[10] = usage & 0xff; saltdata[11] = (usage >> 8) & 0xff; saltdata[12] = (usage >> 16) & 0xff; saltdata[13] = (usage >> 24) & 0xff; saltlen = 14; } else { saltdata[0] = usage & 0xff; saltdata[1] = (usage >> 8) & 0xff; saltdata[2] = (usage >> 16) & 0xff; saltdata[3] = (usage >> 24) & 0xff; saltlen = 4; } /* * Use the salt value to create a key to be used * for subsequent HMAC operations. */ result = do_hmac(md5_hmac_mech, tmi->enc_data.ckey, (char *)saltdata, saltlen, (char *)k1data, sizeof (k1data)); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "arcfour_hmac_md5_encrypt: do_hmac(k1)" "failed - error %0x", result); goto cleanup; } bcopy(k1data, k2data, sizeof (k2data)); /* * For the neutered MS RC4 encryption type, * set the trailing 9 bytes to 0xab per the * RC4-HMAC spec. */ if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); } /* * Get the confounder bytes. */ (void) random_get_pseudo_bytes( (uint8_t *)(mp->b_rptr + hash->hash_len), (size_t)hash->confound_len); k2.ck_data = k2data; k2.ck_format = CRYPTO_KEY_RAW; k2.ck_length = sizeof (k2data) * 8; /* * This writes the HMAC to the hash area in the * mblk. The key used is the one just created by * the previous HMAC operation. * The data being processed is the confounder bytes * PLUS the input plaintext. */ result = do_hmac(md5_hmac_mech, &k2, (char *)mp->b_rptr + hash->hash_len, hash->confound_len + inlen, (char *)mp->b_rptr, hash->hash_len); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "arcfour_hmac_md5_encrypt: do_hmac(k2)" "failed - error %0x", result); goto cleanup; } /* * Because of the odd way that MIT uses RC4 keys * on the rlogin stream, we only need to create * this key once. * However, if using "old" rcmd mode, we need to do * it every time. */ if (tmi->enc_data.ctx == NULL || (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { crypto_key_t *key = &tmi->enc_data.d_encr_key; k1.ck_data = k1data; k1.ck_format = CRYPTO_KEY_RAW; k1.ck_length = sizeof (k1data) * 8; key->ck_format = CRYPTO_KEY_RAW; key->ck_length = k1.ck_length; if (key->ck_data == NULL) key->ck_data = kmem_zalloc( CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); /* * The final HMAC operation creates the encryption * key to be used for the encrypt operation. */ result = do_hmac(md5_hmac_mech, &k1, (char *)mp->b_rptr, hash->hash_len, (char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "arcfour_hmac_md5_encrypt: do_hmac(k3)" "failed - error %0x", result); goto cleanup; } } /* * If the context has not been initialized, do it now. */ if (tmi->enc_data.ctx == NULL && (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { /* * Only create a template if we are doing * chaining from block to block. */ result = crypto_create_ctx_template(&mech, &tmi->enc_data.d_encr_key, &tmi->enc_data.enc_tmpl, KM_SLEEP); if (result == CRYPTO_NOT_SUPPORTED) { tmi->enc_data.enc_tmpl = NULL; } else if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "failed to create enc template " "for RC4 encrypt: %0x", result); goto cleanup; } result = crypto_encrypt_init(&mech, &tmi->enc_data.d_encr_key, tmi->enc_data.enc_tmpl, &tmi->enc_data.ctx, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_encrypt_init failed:" " %0x", result); goto cleanup; } } v1.iov_base = (char *)mp->b_rptr + hash->hash_len; v1.iov_len = hash->confound_len + inlen; indata.cd_format = CRYPTO_DATA_RAW; indata.cd_offset = 0; indata.cd_length = hash->confound_len + inlen; indata.cd_raw = v1; if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) result = crypto_encrypt_update(tmi->enc_data.ctx, &indata, NULL, NULL); else result = crypto_encrypt(&mech, &indata, &tmi->enc_data.d_encr_key, NULL, NULL, NULL); if (result != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x", result); } cleanup: bzero(k1data, sizeof (k1data)); bzero(k2data, sizeof (k2data)); bzero(saltdata, sizeof (saltdata)); if (result != CRYPTO_SUCCESS) { mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } return (mp); } /* * DES-CBC-[HASH] encrypt * * Needed to support userland apps that must support Kerberos V5 * encryption DES-CBC encryption modes. * * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 * * format of ciphertext for DES-CBC functions, per RFC1510 is: * +-----------+----------+-------------+-----+ * |confounder | cksum | msg-data | pad | * +-----------+----------+-------------+-----+ * * format of ciphertext when using DES3-SHA1-HMAC * +-----------+----------+-------------+-----+ * |confounder | msg-data | hmac | pad | * +-----------+----------+-------------+-----+ * * The confounder is 8 bytes of random data. * The cksum depends on the hash being used. * 4 bytes for CRC32 * 16 bytes for MD5 * 20 bytes for SHA1 * 0 bytes for RAW * */ static mblk_t * des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) { int result; size_t cipherlen; size_t inlen; size_t plainlen; /* * The size at this point should be the size of * all the plaintext plus the optional plaintext length * needed for RCMD V2 mode. There should also be room * at the head of the mblk for the confounder and hash info. */ inlen = (size_t)MBLKL(mp); /* * The output size will be a multiple of 8 because this algorithm * only works on 8 byte chunks. */ cipherlen = encrypt_size(&tmi->enc_data, inlen); ASSERT(MBLKSIZE(mp) >= cipherlen); if (cipherlen > inlen) { bzero(mp->b_wptr, MBLKTAIL(mp)); } /* * Shift the rptr back enough to insert * the confounder and hash. */ if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { mp->b_rptr -= hash->confound_len; } else { mp->b_rptr -= (hash->confound_len + hash->hash_len); /* zero out the hash area */ bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len); } /* get random confounder from our friend, the 'random' module */ if (hash->confound_len > 0) { (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, (size_t)hash->confound_len); } /* * For 3DES we calculate an HMAC later. */ if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) { /* calculate chksum of confounder + input */ if (hash->hash_len > 0 && hash->hashfunc != NULL) { uchar_t cksum[MAX_CKSUM_LEN]; result = hash->hashfunc(cksum, mp->b_rptr, cipherlen); if (result != CRYPTO_SUCCESS) { goto failure; } /* put hash in place right after the confounder */ bcopy(cksum, (mp->b_rptr + hash->confound_len), (size_t)hash->hash_len); } } /* * In order to support the "old" Kerberos RCMD protocol, * we must use the IVEC 3 different ways: * IVEC_REUSE = keep using the same IV each time, this is * ugly and insecure, but necessary for * backwards compatibility with existing MIT code. * IVEC_ONETIME = Use the ivec as initialized when the crypto * was setup (see setup_crypto routine). * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). */ if (tmi->enc_data.ivec_usage == IVEC_NEVER) { bzero(tmi->enc_data.block, tmi->enc_data.blocklen); } else if (tmi->enc_data.ivec_usage == IVEC_REUSE) { bcopy(tmi->enc_data.ivec, tmi->enc_data.block, tmi->enc_data.blocklen); } if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { /* * The input length already included the hash size, * don't include this in the plaintext length * calculations. */ plainlen = cipherlen - hash->hash_len; mp->b_wptr = mp->b_rptr + plainlen; result = kef_encr_hmac(&tmi->enc_data, (void *)mp, (size_t)plainlen, (char *)(mp->b_rptr + plainlen), hash->hash_len); } else { ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp)); mp->b_wptr = mp->b_rptr + cipherlen; result = kef_crypt(&tmi->enc_data, (void *)mp, CRYPTO_DATA_MBLK, (size_t)cipherlen, CRYPT_ENCRYPT); } failure: if (result != CRYPTO_SUCCESS) { #ifdef DEBUG cmn_err(CE_WARN, "des_cbc_encrypt: kef_crypt encrypt " "failed (len: %ld) - error %0x", cipherlen, result); #endif mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) { /* * Because we are using KEF, we must manually * update our IV. */ bcopy(mp->b_wptr - tmi->enc_data.ivlen, tmi->enc_data.block, tmi->enc_data.ivlen); } if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { mp->b_wptr = mp->b_rptr + cipherlen; } return (mp); } /* * des_cbc_decrypt * * * Needed to support userland apps that must support Kerberos V5 * encryption DES-CBC decryption modes. * * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 * * format of ciphertext for DES-CBC functions, per RFC1510 is: * +-----------+----------+-------------+-----+ * |confounder | cksum | msg-data | pad | * +-----------+----------+-------------+-----+ * * format of ciphertext when using DES3-SHA1-HMAC * +-----------+----------+-------------+-----+ * |confounder | msg-data | hmac | pad | * +-----------+----------+-------------+-----+ * * The confounder is 8 bytes of random data. * The cksum depends on the hash being used. * 4 bytes for CRC32 * 16 bytes for MD5 * 20 bytes for SHA1 * 0 bytes for RAW * */ static mblk_t * des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) { uint_t inlen, datalen; int result = 0; uchar_t *optr = NULL; uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN]; uchar_t nextiv[DEFAULT_DES_BLOCKLEN]; /* Compute adjusted size */ inlen = MBLKL(mp); optr = mp->b_rptr; /* * In order to support the "old" Kerberos RCMD protocol, * we must use the IVEC 3 different ways: * IVEC_REUSE = keep using the same IV each time, this is * ugly and insecure, but necessary for * backwards compatibility with existing MIT code. * IVEC_ONETIME = Use the ivec as initialized when the crypto * was setup (see setup_crypto routine). * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). */ if (tmi->dec_data.ivec_usage == IVEC_NEVER) bzero(tmi->dec_data.block, tmi->dec_data.blocklen); else if (tmi->dec_data.ivec_usage == IVEC_REUSE) bcopy(tmi->dec_data.ivec, tmi->dec_data.block, tmi->dec_data.blocklen); if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { /* * Do not decrypt the HMAC at the end */ int decrypt_len = inlen - hash->hash_len; /* * Move the wptr so the mblk appears to end * BEFORE the HMAC section. */ mp->b_wptr = mp->b_rptr + decrypt_len; /* * Because we are using KEF, we must manually update our * IV. */ if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen, nextiv, tmi->dec_data.ivlen); } result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len, (char *)newcksum, hash->hash_len); } else { /* * Because we are using KEF, we must manually update our * IV. */ if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv, tmi->dec_data.ivlen); } result = kef_crypt(&tmi->dec_data, (void *)mp, CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT); } if (result != CRYPTO_SUCCESS) { #ifdef DEBUG cmn_err(CE_WARN, "des_cbc_decrypt: kef_crypt decrypt " "failed - error %0x", result); #endif mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } /* * Manually update the IV, KEF does not track this for us. */ if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen); } /* Verify the checksum(if necessary) */ if (hash->hash_len > 0) { if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { bcopy(mp->b_rptr + inlen - hash->hash_len, cksum, hash->hash_len); } else { bcopy(optr + hash->confound_len, cksum, hash->hash_len); /* zero the cksum in the buffer */ ASSERT(optr + hash->confound_len + hash->hash_len <= DB_LIM(mp)); bzero(optr + hash->confound_len, hash->hash_len); /* calculate MD5 chksum of confounder + input */ if (hash->hashfunc) { (void) hash->hashfunc(newcksum, optr, inlen); } } if (bcmp(cksum, newcksum, hash->hash_len)) { #ifdef DEBUG cmn_err(CE_WARN, "des_cbc_decrypt: checksum " "verification failed"); #endif mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); return (NULL); } } datalen = inlen - hash->confound_len - hash->hash_len; /* Move just the decrypted input into place if necessary */ if (hash->confound_len > 0 || hash->hash_len > 0) { if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) mp->b_rptr += hash->confound_len; else mp->b_rptr += hash->confound_len + hash->hash_len; } ASSERT(mp->b_rptr + datalen <= DB_LIM(mp)); mp->b_wptr = mp->b_rptr + datalen; return (mp); } static mblk_t * do_decrypt(queue_t *q, mblk_t *mp) { struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; mblk_t *outmp; switch (tmi->dec_data.method) { case CRYPT_METHOD_DES_CFB: outmp = des_cfb_decrypt(q, tmi, mp); break; case CRYPT_METHOD_NONE: outmp = mp; break; case CRYPT_METHOD_DES_CBC_NULL: outmp = des_cbc_decrypt(q, tmi, mp, &null_hash); break; case CRYPT_METHOD_DES_CBC_MD5: outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash); break; case CRYPT_METHOD_DES_CBC_CRC: outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash); break; case CRYPT_METHOD_DES3_CBC_SHA1: outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash); break; case CRYPT_METHOD_ARCFOUR_HMAC_MD5: case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash); break; case CRYPT_METHOD_AES128: case CRYPT_METHOD_AES256: outmp = aes_decrypt(q, tmi, mp, &sha1_hash); break; } return (outmp); } /* * do_encrypt * * Generic encryption routine for a single message block. * The input mblk may be replaced by some encrypt routines * because they add extra data in some cases that may exceed * the input mblk_t size limit. */ static mblk_t * do_encrypt(queue_t *q, mblk_t *mp) { struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; mblk_t *outmp; switch (tmi->enc_data.method) { case CRYPT_METHOD_DES_CFB: outmp = des_cfb_encrypt(q, tmi, mp); break; case CRYPT_METHOD_DES_CBC_NULL: outmp = des_cbc_encrypt(q, tmi, mp, &null_hash); break; case CRYPT_METHOD_DES_CBC_MD5: outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash); break; case CRYPT_METHOD_DES_CBC_CRC: outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash); break; case CRYPT_METHOD_DES3_CBC_SHA1: outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash); break; case CRYPT_METHOD_ARCFOUR_HMAC_MD5: case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash); break; case CRYPT_METHOD_AES128: case CRYPT_METHOD_AES256: outmp = aes_encrypt(q, tmi, mp, &sha1_hash); break; case CRYPT_METHOD_NONE: outmp = mp; break; } return (outmp); } /* * setup_crypto * * This takes the data from the CRYPTIOCSETUP ioctl * and sets up a cipher_data_t structure for either * encryption or decryption. This is where the * key and initialization vector data get stored * prior to beginning any crypto functions. * * Special note: * Some applications(e.g. telnetd) have ability to switch * crypto on/off periodically. Thus, the application may call * the CRYPTIOCSETUP ioctl many times for the same stream. * If the CRYPTIOCSETUP is called with 0 length key or ivec fields * assume that the key, block, and saveblock fields that are already * set from a previous CRIOCSETUP call are still valid. This helps avoid * a rekeying error that could occur if we overwrite these fields * with each CRYPTIOCSETUP call. * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off * without resetting the original crypto parameters. * */ static int setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt) { uint_t newblocklen; uint32_t enc_usage = 0, dec_usage = 0; int rv; /* * Initial sanity checks */ if (!CR_METHOD_OK(ci->crypto_method)) { cmn_err(CE_WARN, "Illegal crypto method (%d)", ci->crypto_method); return (EINVAL); } if (!CR_OPTIONS_OK(ci->option_mask)) { cmn_err(CE_WARN, "Illegal crypto options (%d)", ci->option_mask); return (EINVAL); } if (!CR_IVUSAGE_OK(ci->ivec_usage)) { cmn_err(CE_WARN, "Illegal ivec usage value (%d)", ci->ivec_usage); return (EINVAL); } cd->method = ci->crypto_method; cd->bytes = 0; if (ci->keylen > 0) { if (cd->key != NULL) { kmem_free(cd->key, cd->keylen); cd->key = NULL; cd->keylen = 0; } /* * cd->key holds the copy of the raw key bytes passed in * from the userland app. */ cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP); cd->keylen = ci->keylen; bcopy(ci->key, cd->key, (size_t)ci->keylen); } /* * Configure the block size based on the type of cipher. */ switch (cd->method) { case CRYPT_METHOD_NONE: newblocklen = 0; break; case CRYPT_METHOD_DES_CFB: newblocklen = DEFAULT_DES_BLOCKLEN; cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB); break; case CRYPT_METHOD_DES_CBC_NULL: case CRYPT_METHOD_DES_CBC_MD5: case CRYPT_METHOD_DES_CBC_CRC: newblocklen = DEFAULT_DES_BLOCKLEN; cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC); break; case CRYPT_METHOD_DES3_CBC_SHA1: newblocklen = DEFAULT_DES_BLOCKLEN; cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC); /* 3DES always uses the old usage constant */ enc_usage = RCMDV1_USAGE; dec_usage = RCMDV1_USAGE; break; case CRYPT_METHOD_ARCFOUR_HMAC_MD5: case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: newblocklen = 0; cd->mech_type = crypto_mech2id(SUN_CKM_RC4); break; case CRYPT_METHOD_AES128: case CRYPT_METHOD_AES256: newblocklen = DEFAULT_AES_BLOCKLEN; cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB); enc_usage = AES_ENCRYPT_USAGE; dec_usage = AES_DECRYPT_USAGE; break; } if (cd->mech_type == CRYPTO_MECH_INVALID) { return (CRYPTO_FAILED); } /* * If RC4, initialize the master crypto key used by * the RC4 algorithm to derive the final encrypt and decrypt keys. */ if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) { /* * cd->ckey is a kernel crypto key structure used as the * master key in the RC4-HMAC crypto operations. */ if (cd->ckey == NULL) { cd->ckey = (crypto_key_t *)kmem_zalloc( sizeof (crypto_key_t), KM_SLEEP); } cd->ckey->ck_format = CRYPTO_KEY_RAW; cd->ckey->ck_data = cd->key; /* key length for EF is measured in bits */ cd->ckey->ck_length = cd->keylen * 8; } /* * cd->block and cd->saveblock are used as temporary storage for * data that must be carried over between encrypt/decrypt operations * in some of the "feedback" modes. */ if (newblocklen != cd->blocklen) { if (cd->block != NULL) { kmem_free(cd->block, cd->blocklen); cd->block = NULL; } if (cd->saveblock != NULL) { kmem_free(cd->saveblock, cd->blocklen); cd->saveblock = NULL; } cd->blocklen = newblocklen; if (cd->blocklen) { cd->block = (char *)kmem_zalloc((size_t)cd->blocklen, KM_SLEEP); } if (cd->method == CRYPT_METHOD_DES_CFB) cd->saveblock = (char *)kmem_zalloc(cd->blocklen, KM_SLEEP); else cd->saveblock = NULL; } if (ci->iveclen != cd->ivlen) { if (cd->ivec != NULL) { kmem_free(cd->ivec, cd->ivlen); cd->ivec = NULL; } if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) { cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen, KM_SLEEP); cd->ivlen = ci->iveclen; } else { cd->ivlen = 0; cd->ivec = NULL; } } cd->option_mask = ci->option_mask; /* * Old protocol requires a static 'usage' value for * deriving keys. Yuk. */ if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) { enc_usage = dec_usage = RCMDV1_USAGE; } if (cd->ivlen > cd->blocklen) { cmn_err(CE_WARN, "setup_crypto: IV longer than block size"); return (EINVAL); } /* * If we are using an IVEC "correctly" (i.e. set it once) * copy it here. */ if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL) bcopy(ci->ivec, cd->block, (size_t)cd->ivlen); cd->ivec_usage = ci->ivec_usage; if (cd->ivec != NULL) { /* Save the original IVEC in case we need it later */ bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen); } /* * Special handling for 3DES-SHA1-HMAC and AES crypto: * generate derived keys and context templates * for better performance. */ if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 || IS_AES_METHOD(cd->method)) { crypto_mechanism_t enc_mech; crypto_mechanism_t hmac_mech; if (cd->d_encr_key.ck_data != NULL) { bzero(cd->d_encr_key.ck_data, cd->keylen); kmem_free(cd->d_encr_key.ck_data, cd->keylen); } if (cd->d_hmac_key.ck_data != NULL) { bzero(cd->d_hmac_key.ck_data, cd->keylen); kmem_free(cd->d_hmac_key.ck_data, cd->keylen); } if (cd->enc_tmpl != NULL) (void) crypto_destroy_ctx_template(cd->enc_tmpl); if (cd->hmac_tmpl != NULL) (void) crypto_destroy_ctx_template(cd->hmac_tmpl); enc_mech.cm_type = cd->mech_type; enc_mech.cm_param = cd->ivec; enc_mech.cm_param_len = cd->ivlen; hmac_mech.cm_type = sha1_hmac_mech; hmac_mech.cm_param = NULL; hmac_mech.cm_param_len = 0; /* * Create the derived keys. */ rv = create_derived_keys(cd, (encrypt ? enc_usage : dec_usage), &cd->d_encr_key, &cd->d_hmac_key); if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "failed to create derived " "keys: %0x", rv); return (CRYPTO_FAILED); } rv = crypto_create_ctx_template(&enc_mech, &cd->d_encr_key, &cd->enc_tmpl, KM_SLEEP); if (rv == CRYPTO_MECH_NOT_SUPPORTED) { cd->enc_tmpl = NULL; } else if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "failed to create enc template " "for d_encr_key: %0x", rv); return (CRYPTO_FAILED); } rv = crypto_create_ctx_template(&hmac_mech, &cd->d_hmac_key, &cd->hmac_tmpl, KM_SLEEP); if (rv == CRYPTO_MECH_NOT_SUPPORTED) { cd->hmac_tmpl = NULL; } else if (rv != CRYPTO_SUCCESS) { cmn_err(CE_WARN, "failed to create hmac template:" " %0x", rv); return (CRYPTO_FAILED); } } else if (IS_RC4_METHOD(cd->method)) { bzero(&cd->d_encr_key, sizeof (crypto_key_t)); bzero(&cd->d_hmac_key, sizeof (crypto_key_t)); cd->ctx = NULL; cd->enc_tmpl = NULL; cd->hmac_tmpl = NULL; } /* Final sanity checks, make sure no fields are NULL */ if (cd->method != CRYPT_METHOD_NONE) { if (cd->block == NULL && cd->blocklen > 0) { #ifdef DEBUG cmn_err(CE_WARN, "setup_crypto: IV block not allocated"); #endif return (ENOMEM); } if (cd->key == NULL && cd->keylen > 0) { #ifdef DEBUG cmn_err(CE_WARN, "setup_crypto: key block not allocated"); #endif return (ENOMEM); } if (cd->method == CRYPT_METHOD_DES_CFB && cd->saveblock == NULL && cd->blocklen > 0) { #ifdef DEBUG cmn_err(CE_WARN, "setup_crypto: save block not allocated"); #endif return (ENOMEM); } if (cd->ivec == NULL && cd->ivlen > 0) { #ifdef DEBUG cmn_err(CE_WARN, "setup_crypto: IV not allocated"); #endif return (ENOMEM); } } return (0); } /* * RCMDS require a 4 byte, clear text * length field before each message. * Add it now. */ static mblk_t * mklenmp(mblk_t *bp, uint32_t len) { mblk_t *lenmp; uchar_t *ucp; if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) { lenmp = allocb(4, BPRI_MED); if (lenmp != NULL) { lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp); linkb(lenmp, bp); bp = lenmp; } } ucp = bp->b_rptr; *--ucp = len; *--ucp = len >> 8; *--ucp = len >> 16; *--ucp = len >> 24; bp->b_rptr = ucp; return (bp); } static mblk_t * encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen) { mblk_t *newmp; size_t headspace; mblk_t *cbp; size_t cipherlen; size_t extra = 0; uint32_t ptlen = (uint32_t)plainlen; /* * If we are using the "NEW" RCMD mode, * add 4 bytes to the plaintext for the * plaintext length that gets prepended * before encrypting. */ if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) ptlen += 4; cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen); /* * if we must allocb, then make sure its enough * to hold the length field so we dont have to allocb * again down below in 'mklenmp' */ if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) { extra = sizeof (uint32_t); } /* * Calculate how much space is needed in front of * the data. */ headspace = plaintext_offset(&tmi->enc_data); /* * If the current block is too small, reallocate * one large enough to hold the hdr, tail, and * ciphertext. */ if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) { int sz = P2ROUNDUP(cipherlen+extra, 8); cbp = allocb_tmpl(sz, mp); if (cbp == NULL) { cmn_err(CE_WARN, "allocb (%d bytes) failed", sz); return (NULL); } cbp->b_cont = mp->b_cont; /* * headspace includes the length fields needed * for the RCMD modes (v1 == 4 bytes, V2 = 8) */ ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen+headspace, 8) <= DB_LIM(cbp)); cbp->b_rptr = DB_BASE(cbp) + headspace; bcopy(mp->b_rptr, cbp->b_rptr, plainlen); cbp->b_wptr = cbp->b_rptr + plainlen; freeb(mp); } else { size_t extra = 0; cbp = mp; /* * Some ciphers add HMAC after the final block * of the ciphertext, not at the beginning like the * 1-DES ciphers. */ if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1 || IS_AES_METHOD(tmi->enc_data.method)) { extra = sha1_hash.hash_len; } /* * Make sure the rptr is positioned correctly so that * routines later do not have to shift this data around */ if ((cbp->b_rptr + P2ROUNDUP(cipherlen + extra, 8) > DB_LIM(cbp)) || (cbp->b_rptr - headspace < DB_BASE(cbp))) { ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace, plainlen); cbp->b_rptr = DB_BASE(cbp) + headspace; cbp->b_wptr = cbp->b_rptr + plainlen; } } ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp)); ASSERT(cbp->b_wptr <= DB_LIM(cbp)); /* * If using RCMD_MODE_V2 (new rcmd mode), prepend * the plaintext length before the actual plaintext. */ if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) { cbp->b_rptr -= RCMD_LEN_SZ; /* put plaintext length at head of buffer */ *(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff); *(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff); *(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff); *(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff); } newmp = do_encrypt(q, cbp); if (newmp != NULL && (tmi->enc_data.option_mask & (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) { mblk_t *lp; /* * Add length field, required when this is * used to encrypt "r*" commands(rlogin, rsh) * with Kerberos. */ lp = mklenmp(newmp, plainlen); if (lp == NULL) { freeb(newmp); return (NULL); } else { newmp = lp; } } return (newmp); } /* * encrypt_msgb * * encrypt a single message. This routine adds the * RCMD overhead bytes when necessary. */ static mblk_t * encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) { size_t plainlen, outlen; mblk_t *newmp = NULL; /* If not encrypting, do nothing */ if (tmi->enc_data.method == CRYPT_METHOD_NONE) { return (mp); } plainlen = MBLKL(mp); if (plainlen == 0) return (NULL); /* * If the block is too big, we encrypt in 4K chunks so that * older rlogin clients do not choke on the larger buffers. */ while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) { mblk_t *mp1 = NULL; outlen = MSGBUF_SIZE; /* * Allocate a new buffer that is only 4K bytes, the * extra bytes are for crypto overhead. */ mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED); if (mp1 == NULL) { cmn_err(CE_WARN, "allocb (%d bytes) failed", (int)(outlen + CONFOUNDER_BYTES)); return (NULL); } /* Copy the next 4K bytes from the old block. */ bcopy(mp->b_rptr, mp1->b_rptr, outlen); mp1->b_wptr = mp1->b_rptr + outlen; /* Advance the old block. */ mp->b_rptr += outlen; /* encrypt the new block */ newmp = encrypt_block(q, tmi, mp1, outlen); if (newmp == NULL) return (NULL); putnext(q, newmp); } newmp = NULL; /* If there is data left (< MSGBUF_SIZE), encrypt it. */ if ((plainlen = MBLKL(mp)) > 0) newmp = encrypt_block(q, tmi, mp, plainlen); return (newmp); } /* * cryptmodwsrv * * Service routine for the write queue. * * Because data may be placed in the queue to hold between * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed. */ static int cryptmodwsrv(queue_t *q) { mblk_t *mp; struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; while ((mp = getq(q)) != NULL) { switch (mp->b_datap->db_type) { default: /* * wput does not queue anything > QPCTL */ if (!canputnext(q) || !(tmi->ready & CRYPT_WRITE_READY)) { if (!putbq(q, mp)) { freemsg(mp); } return (0); } putnext(q, mp); break; case M_DATA: if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) { mblk_t *bp; mblk_t *newmsg = NULL; /* * If multiple msgs, concat into 1 * to minimize crypto operations later. */ if (mp->b_cont != NULL) { bp = msgpullup(mp, -1); if (bp != NULL) { freemsg(mp); mp = bp; } } newmsg = encrypt_msgb(q, tmi, mp); if (newmsg != NULL) putnext(q, newmsg); } else { if (!putbq(q, mp)) { freemsg(mp); } return (0); } break; } } return (0); } static void start_stream(queue_t *wq, mblk_t *mp, uchar_t dir) { mblk_t *newmp = NULL; struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; if (dir == CRYPT_ENCRYPT) { tmi->ready |= CRYPT_WRITE_READY; (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, "start_stream: restart ENCRYPT/WRITE q")); enableok(wq); qenable(wq); } else if (dir == CRYPT_DECRYPT) { /* * put any extra data in the RD * queue to be processed and * sent back up. */ newmp = mp->b_cont; mp->b_cont = NULL; tmi->ready |= CRYPT_READ_READY; (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, "start_stream: restart " "DECRYPT/READ q")); if (newmp != NULL) if (!putbq(RD(wq), newmp)) freemsg(newmp); enableok(RD(wq)); qenable(RD(wq)); } miocack(wq, mp, 0, 0); } /* * Write-side put procedure. Its main task is to detect ioctls and * FLUSH operations. Other message types are passed on through. */ static int cryptmodwput(queue_t *wq, mblk_t *mp) { struct iocblk *iocp; struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; int ret, err; switch (mp->b_datap->db_type) { case M_DATA: if (wq->q_first == NULL && canputnext(wq) && (tmi->ready & CRYPT_WRITE_READY) && tmi->enc_data.method == CRYPT_METHOD_NONE) { putnext(wq, mp); return (0); } /* else, put it in the service queue */ if (!putq(wq, mp)) { freemsg(mp); } break; case M_FLUSH: if (*mp->b_rptr & FLUSHW) { flushq(wq, FLUSHDATA); } putnext(wq, mp); break; case M_IOCTL: iocp = (struct iocblk *)mp->b_rptr; switch (iocp->ioc_cmd) { case CRYPTIOCSETUP: ret = 0; (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE | SL_NOTE, "wput: got CRYPTIOCSETUP " "ioctl(%d)", iocp->ioc_cmd)); if ((err = miocpullup(mp, sizeof (struct cr_info_t))) != 0) { cmn_err(CE_WARN, "wput: miocpullup failed for cr_info_t"); miocnak(wq, mp, 0, err); } else { struct cr_info_t *ci; ci = (struct cr_info_t *)mp->b_cont->b_rptr; if (ci->direction_mask & CRYPT_ENCRYPT) { ret = setup_crypto(ci, &tmi->enc_data, 1); } if (ret == 0 && (ci->direction_mask & CRYPT_DECRYPT)) { ret = setup_crypto(ci, &tmi->dec_data, 0); } if (ret == 0 && (ci->direction_mask & CRYPT_DECRYPT) && ANY_RCMD_MODE(tmi->dec_data.option_mask)) { bzero(&tmi->rcmd_state, sizeof (tmi->rcmd_state)); } if (ret == 0) { miocack(wq, mp, 0, 0); } else { cmn_err(CE_WARN, "wput: setup_crypto failed"); miocnak(wq, mp, 0, ret); } (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, "wput: done with SETUP " "ioctl")); } break; case CRYPTIOCSTOP: (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, "wput: got CRYPTIOCSTOP " "ioctl(%d)", iocp->ioc_cmd)); if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) { cmn_err(CE_WARN, "wput: CRYPTIOCSTOP ioctl wrong " "size (%d should be %d)", (int)iocp->ioc_count, (int)sizeof (uint32_t)); miocnak(wq, mp, 0, err); } else { uint32_t *stopdir; stopdir = (uint32_t *)mp->b_cont->b_rptr; if (!CR_DIRECTION_OK(*stopdir)) { miocnak(wq, mp, 0, EINVAL); return (0); } /* disable the queues until further notice */ if (*stopdir & CRYPT_ENCRYPT) { noenable(wq); tmi->ready &= ~CRYPT_WRITE_READY; } if (*stopdir & CRYPT_DECRYPT) { noenable(RD(wq)); tmi->ready &= ~CRYPT_READ_READY; } miocack(wq, mp, 0, 0); } break; case CRYPTIOCSTARTDEC: (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, "wput: got CRYPTIOCSTARTDEC " "ioctl(%d)", iocp->ioc_cmd)); start_stream(wq, mp, CRYPT_DECRYPT); break; case CRYPTIOCSTARTENC: (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, "wput: got CRYPTIOCSTARTENC " "ioctl(%d)", iocp->ioc_cmd)); start_stream(wq, mp, CRYPT_ENCRYPT); break; default: putnext(wq, mp); break; } break; default: if (queclass(mp) < QPCTL) { if (wq->q_first != NULL || !canputnext(wq)) { if (!putq(wq, mp)) freemsg(mp); return (0); } } putnext(wq, mp); break; } return (0); } /* * decrypt_rcmd_mblks * * Because kerberized r* commands(rsh, rlogin, etc) * use a 4 byte length field to indicate the # of * PLAINTEXT bytes that are encrypted in the field * that follows, we must parse out each message and * break out the length fields prior to sending them * upstream to our Solaris r* clients/servers which do * NOT understand this format. * * Kerberized/encrypted message format: * ------------------------------- * | XXXX | N bytes of ciphertext| * ------------------------------- * * Where: XXXX = number of plaintext bytes that were encrypted in * to make the ciphertext field. This is done * because we are using a cipher that pads out to * an 8 byte boundary. We only want the application * layer to see the correct number of plain text bytes, * not plaintext + pad. So, after we decrypt, we * must trim the output block down to the intended * plaintext length and eliminate the pad bytes. * * This routine takes the entire input message, breaks it into * a new message that does not contain these length fields and * returns a message consisting of mblks filled with just ciphertext. * */ static mblk_t * decrypt_rcmd_mblks(queue_t *q, mblk_t *mp) { mblk_t *newmp = NULL; size_t msglen; struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; msglen = msgsize(mp); /* * If we need the length field, get it here. * Test the "plaintext length" indicator. */ if (tmi->rcmd_state.pt_len == 0) { uint32_t elen; int tocopy; mblk_t *nextp; /* * Make sure we have recieved all 4 bytes of the * length field. */ while (mp != NULL) { ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t)); tocopy = sizeof (uint32_t) - tmi->rcmd_state.cd_len; if (tocopy > msglen) tocopy = msglen; ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp)); bcopy(mp->b_rptr, (char *)(&tmi->rcmd_state.next_len + tmi->rcmd_state.cd_len), tocopy); tmi->rcmd_state.cd_len += tocopy; if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) { tmi->rcmd_state.next_len = ntohl(tmi->rcmd_state.next_len); break; } nextp = mp->b_cont; mp->b_cont = NULL; freeb(mp); mp = nextp; } if (mp == NULL) { return (NULL); } /* * recalculate the msglen now that we've read the * length and adjusted the bufptr (b_rptr). */ msglen -= tocopy; mp->b_rptr += tocopy; tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len; if (tmi->rcmd_state.pt_len <= 0) { /* * Return an IO error to break the connection. there * is no way to recover from this. Usually it means * the app has incorrectly requested decryption on * a non-encrypted stream, thus the "pt_len" field * is negative. */ mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; qreply(WR(q), mp); tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; return (NULL); } /* * If this is V2 mode, then the encrypted data is actually * 4 bytes bigger than the indicated len because the plaintext * length is encrypted for an additional security check, but * its not counted as part of the overall length we just read. * Strange and confusing, but true. */ if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) elen = tmi->rcmd_state.pt_len + 4; else elen = tmi->rcmd_state.pt_len; tmi->rcmd_state.cd_len = encrypt_size(&tmi->dec_data, elen); /* * Allocate an mblk to hold the cipher text until it is * all ready to be processed. */ tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len, BPRI_HI); if (tmi->rcmd_state.c_msg == NULL) { #ifdef DEBUG cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed " "for %d bytes", (int)tmi->rcmd_state.cd_len); #endif /* * Return an IO error to break the connection. */ mp->b_datap->db_type = M_ERROR; mp->b_rptr = mp->b_datap->db_base; *mp->b_rptr = EIO; mp->b_wptr = mp->b_rptr + sizeof (char); freemsg(mp->b_cont); mp->b_cont = NULL; tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; qreply(WR(q), mp); return (NULL); } } /* * If this entire message was just the length field, * free and return. The actual data will probably be next. */ if (msglen == 0) { freemsg(mp); return (NULL); } /* * Copy as much of the cipher text as possible into * the new msgb (c_msg). * * Logic: if we got some bytes (msglen) and we still * "need" some bytes (len-rcvd), get them here. */ ASSERT(tmi->rcmd_state.c_msg != NULL); if (msglen > 0 && (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) { mblk_t *bp, *nextp; size_t n; /* * Walk the mblks and copy just as many bytes as we need * for this particular block of cipher text. */ bp = mp; while (bp != NULL) { size_t needed; size_t tocopy; n = MBLKL(bp); needed = tmi->rcmd_state.cd_len - MBLKL(tmi->rcmd_state.c_msg); tocopy = (needed >= n ? n : needed); ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp)); ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <= DB_LIM(tmi->rcmd_state.c_msg)); /* Copy to end of new mblk */ bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr, tocopy); tmi->rcmd_state.c_msg->b_wptr += tocopy; bp->b_rptr += tocopy; nextp = bp->b_cont; /* * If we used this whole block, free it and * move on. */ if (!MBLKL(bp)) { freeb(bp); bp = NULL; } /* If we got what we needed, stop the loop */ if (MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) { /* * If there is more data in the message, * its for another block of cipher text, * put it back in the queue for next time. */ if (bp) { if (!putbq(q, bp)) freemsg(bp); } else if (nextp != NULL) { /* * If there is more, put it back in the * queue for another pass thru. */ if (!putbq(q, nextp)) freemsg(nextp); } break; } bp = nextp; } } /* * Finally, if we received all the cipher text data for * this message, decrypt it into a new msg and send it up * to the app. */ if (tmi->rcmd_state.pt_len > 0 && MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) { mblk_t *bp; mblk_t *newbp; /* * Now we can use our msg that we created when the * initial message boundary was detected. */ bp = tmi->rcmd_state.c_msg; tmi->rcmd_state.c_msg = NULL; newbp = do_decrypt(q, bp); if (newbp != NULL) { bp = newbp; /* * If using RCMD_MODE_V2 ("new" mode), * look at the 4 byte plaintext length that * was just decrypted and compare with the * original pt_len value that was received. */ if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) { uint32_t pt_len2; pt_len2 = *(uint32_t *)bp->b_rptr; pt_len2 = ntohl(pt_len2); /* * Make sure the 2 pt len fields agree. */ if (pt_len2 != tmi->rcmd_state.pt_len) { cmn_err(CE_WARN, "Inconsistent length fields" " received %d != %d", (int)tmi->rcmd_state.pt_len, (int)pt_len2); bp->b_datap->db_type = M_ERROR; bp->b_rptr = bp->b_datap->db_base; *bp->b_rptr = EIO; bp->b_wptr = bp->b_rptr + sizeof (char); freemsg(bp->b_cont); bp->b_cont = NULL; tmi->rcmd_state.cd_len = 0; qreply(WR(q), bp); return (NULL); } bp->b_rptr += sizeof (uint32_t); } /* * Trim the decrypted block the length originally * indicated by the sender. This is to remove any * padding bytes that the sender added to satisfy * requirements of the crypto algorithm. */ bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len; newmp = bp; /* * Reset our state to indicate we are ready * for a new message. */ tmi->rcmd_state.pt_len = 0; tmi->rcmd_state.cd_len = 0; } else { #ifdef DEBUG cmn_err(CE_WARN, "decrypt_rcmd: do_decrypt on %d bytes failed", (int)tmi->rcmd_state.cd_len); #endif /* * do_decrypt already handled failures, just * return NULL. */ tmi->rcmd_state.pt_len = 0; tmi->rcmd_state.cd_len = 0; return (NULL); } } /* * return the new message with the 'length' fields removed */ return (newmp); } /* * cryptmodrsrv * * Read queue service routine * Necessary because if the ready flag is not set * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data * must remain on queue and not be passed along. */ static int cryptmodrsrv(queue_t *q) { mblk_t *mp, *bp; struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; while ((mp = getq(q)) != NULL) { switch (mp->b_datap->db_type) { case M_DATA: if (canputnext(q) && tmi->ready & CRYPT_READ_READY) { /* * Process "rcmd" messages differently because * they contain a 4 byte plaintext length * id that needs to be removed. */ if (tmi->dec_data.method != CRYPT_METHOD_NONE && (tmi->dec_data.option_mask & (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) { mp = decrypt_rcmd_mblks(q, mp); if (mp) putnext(q, mp); continue; } if ((bp = msgpullup(mp, -1)) != NULL) { freemsg(mp); if (MBLKL(bp) > 0) { mp = do_decrypt(q, bp); if (mp != NULL) putnext(q, mp); } } } else { if (!putbq(q, mp)) { freemsg(mp); } return (0); } break; default: /* * rput does not queue anything > QPCTL, so we don't * need to check for it here. */ if (!canputnext(q)) { if (!putbq(q, mp)) freemsg(mp); return (0); } putnext(q, mp); break; } } return (0); } /* * Read-side put procedure. */ static int cryptmodrput(queue_t *rq, mblk_t *mp) { switch (mp->b_datap->db_type) { case M_DATA: if (!putq(rq, mp)) { freemsg(mp); } break; case M_FLUSH: if (*mp->b_rptr & FLUSHR) { flushq(rq, FLUSHALL); } putnext(rq, mp); break; default: if (queclass(mp) < QPCTL) { if (rq->q_first != NULL || !canputnext(rq)) { if (!putq(rq, mp)) freemsg(mp); return (0); } } putnext(rq, mp); break; } return (0); }