xref: /illumos-gate/usr/src/uts/common/io/cryptmod.c (revision e81f5104)
1 /*
2  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  *
5  * Copyright (c) 2018, Joyent, Inc.
6  *
7  * STREAMS Crypto Module
8  *
9  * This module is used to facilitate Kerberos encryption
10  * operations for the telnet daemon and rlogin daemon.
11  * Because the Solaris telnet and rlogin daemons run mostly
12  * in-kernel via 'telmod' and 'rlmod', this module must be
13  * pushed on the STREAM *below* telmod or rlmod.
14  *
15  * Parts of the 3DES key derivation code are covered by the
16  * following copyright.
17  *
18  * Copyright (C) 1998 by the FundsXpress, INC.
19  *
20  * All rights reserved.
21  *
22  * Export of this software from the United States of America may require
23  * a specific license from the United States Government.  It is the
24  * responsibility of any person or organization contemplating export to
25  * obtain such a license before exporting.
26  *
27  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
28  * distribute this software and its documentation for any purpose and
29  * without fee is hereby granted, provided that the above copyright
30  * notice appear in all copies and that both that copyright notice and
31  * this permission notice appear in supporting documentation, and that
32  * the name of FundsXpress. not be used in advertising or publicity pertaining
33  * to distribution of the software without specific, written prior
34  * permission.  FundsXpress makes no representations about the suitability of
35  * this software for any purpose.  It is provided "as is" without express
36  * or implied warranty.
37  *
38  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
39  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
40  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
41  */
42 
43 #include <sys/types.h>
44 #include <sys/sysmacros.h>
45 #include <sys/errno.h>
46 #include <sys/debug.h>
47 #include <sys/time.h>
48 #include <sys/stropts.h>
49 #include <sys/stream.h>
50 #include <sys/strsubr.h>
51 #include <sys/strlog.h>
52 #include <sys/cmn_err.h>
53 #include <sys/conf.h>
54 #include <sys/sunddi.h>
55 #include <sys/kmem.h>
56 #include <sys/strsun.h>
57 #include <sys/random.h>
58 #include <sys/types.h>
59 #include <sys/byteorder.h>
60 #include <sys/cryptmod.h>
61 #include <sys/crc32.h>
62 #include <sys/policy.h>
63 
64 #include <sys/crypto/api.h>
65 
66 /*
67  * Function prototypes.
68  */
69 static	int	cryptmodopen(queue_t *, dev_t *, int, int, cred_t *);
70 static  int	cryptmodrput(queue_t *, mblk_t *);
71 static  int	cryptmodwput(queue_t *, mblk_t *);
72 static	int	cryptmodclose(queue_t *, int, cred_t *);
73 static	int	cryptmodwsrv(queue_t *);
74 static	int	cryptmodrsrv(queue_t *);
75 
76 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp);
77 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp);
78 
79 #define	CRYPTMOD_ID 5150
80 
81 #define	CFB_BLKSZ 8
82 
83 #define	K5CLENGTH 5
84 
85 static struct module_info	cryptmod_minfo = {
86 	CRYPTMOD_ID,	/* mi_idnum */
87 	"cryptmod",	/* mi_idname */
88 	0,		/* mi_minpsz */
89 	INFPSZ,		/* mi_maxpsz */
90 	65536,		/* mi_hiwat */
91 	1024		/* mi_lowat */
92 };
93 
94 static struct qinit	cryptmod_rinit = {
95 	cryptmodrput,	/* qi_putp */
96 	cryptmodrsrv,	/* qi_svc */
97 	cryptmodopen,	/* qi_qopen */
98 	cryptmodclose,	/* qi_qclose */
99 	NULL,		/* qi_qadmin */
100 	&cryptmod_minfo,	/* qi_minfo */
101 	NULL		/* qi_mstat */
102 };
103 
104 static struct qinit	cryptmod_winit = {
105 	cryptmodwput,	/* qi_putp */
106 	cryptmodwsrv,	/* qi_srvp */
107 	NULL,		/* qi_qopen */
108 	NULL,		/* qi_qclose */
109 	NULL,		/* qi_qadmin */
110 	&cryptmod_minfo,	/* qi_minfo */
111 	NULL		/* qi_mstat */
112 };
113 
114 static struct streamtab	cryptmod_info = {
115 	&cryptmod_rinit,	/* st_rdinit */
116 	&cryptmod_winit,	/* st_wrinit */
117 	NULL,	/* st_muxrinit */
118 	NULL	/* st_muxwinit */
119 };
120 
121 typedef struct {
122 	uint_t hash_len;
123 	uint_t confound_len;
124 	int (*hashfunc)();
125 } hash_info_t;
126 
127 #define	MAX_CKSUM_LEN 20
128 #define	CONFOUNDER_LEN 8
129 
130 #define	SHA1_HASHSIZE 20
131 #define	MD5_HASHSIZE 16
132 #define	CRC32_HASHSIZE 4
133 #define	MSGBUF_SIZE 4096
134 #define	CONFOUNDER_BYTES 128
135 
136 
137 static int crc32_calc(uchar_t *, uchar_t *, uint_t);
138 static int md5_calc(uchar_t *, uchar_t *, uint_t);
139 static int sha1_calc(uchar_t *, uchar_t *, uint_t);
140 
141 static hash_info_t null_hash = {0, 0, NULL};
142 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc};
143 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc};
144 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc};
145 
146 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID;
147 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID;
148 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID;
149 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID;
150 
151 static int kef_crypt(struct cipher_data_t *, void *,
152 		    crypto_data_format_t, size_t, int);
153 static mblk_t *
154 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *,
155 		mblk_t *, hash_info_t *);
156 static mblk_t *
157 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *,
158 		mblk_t *, hash_info_t *);
159 
160 static int
161 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int);
162 
163 /*
164  * This is the loadable module wrapper.
165  */
166 #include <sys/modctl.h>
167 
168 static struct fmodsw fsw = {
169 	"cryptmod",
170 	&cryptmod_info,
171 	D_MP | D_MTQPAIR
172 };
173 
174 /*
175  * Module linkage information for the kernel.
176  */
177 static struct modlstrmod modlstrmod = {
178 	&mod_strmodops,
179 	"STREAMS encryption module",
180 	&fsw
181 };
182 
183 static struct modlinkage modlinkage = {
184 	MODREV_1,
185 	&modlstrmod,
186 	NULL
187 };
188 
189 int
_init(void)190 _init(void)
191 {
192 	return (mod_install(&modlinkage));
193 }
194 
195 int
_fini(void)196 _fini(void)
197 {
198 	return (mod_remove(&modlinkage));
199 }
200 
201 int
_info(struct modinfo * modinfop)202 _info(struct modinfo *modinfop)
203 {
204 	return (mod_info(&modlinkage, modinfop));
205 }
206 
207 static void
cleanup(struct cipher_data_t * cd)208 cleanup(struct cipher_data_t *cd)
209 {
210 	if (cd->key != NULL) {
211 		bzero(cd->key, cd->keylen);
212 		kmem_free(cd->key, cd->keylen);
213 		cd->key = NULL;
214 	}
215 
216 	if (cd->ckey != NULL) {
217 		/*
218 		 * ckey is a crypto_key_t structure which references
219 		 * "cd->key" for its raw key data.  Since that was already
220 		 * cleared out, we don't need another "bzero" here.
221 		 */
222 		kmem_free(cd->ckey, sizeof (crypto_key_t));
223 		cd->ckey = NULL;
224 	}
225 
226 	if (cd->block != NULL) {
227 		kmem_free(cd->block, cd->blocklen);
228 		cd->block = NULL;
229 	}
230 
231 	if (cd->saveblock != NULL) {
232 		kmem_free(cd->saveblock, cd->blocklen);
233 		cd->saveblock = NULL;
234 	}
235 
236 	if (cd->ivec != NULL) {
237 		kmem_free(cd->ivec, cd->ivlen);
238 		cd->ivec = NULL;
239 	}
240 
241 	if (cd->d_encr_key.ck_data != NULL) {
242 		bzero(cd->d_encr_key.ck_data, cd->keylen);
243 		kmem_free(cd->d_encr_key.ck_data, cd->keylen);
244 	}
245 
246 	if (cd->d_hmac_key.ck_data != NULL) {
247 		bzero(cd->d_hmac_key.ck_data, cd->keylen);
248 		kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
249 	}
250 
251 	if (cd->enc_tmpl != NULL)
252 		(void) crypto_destroy_ctx_template(cd->enc_tmpl);
253 
254 	if (cd->hmac_tmpl != NULL)
255 		(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
256 
257 	if (cd->ctx != NULL) {
258 		crypto_cancel_ctx(cd->ctx);
259 		cd->ctx = NULL;
260 	}
261 }
262 
263 /* ARGSUSED */
264 static int
cryptmodopen(queue_t * rq,dev_t * dev,int oflag,int sflag,cred_t * crp)265 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp)
266 {
267 	struct tmodinfo	*tmi;
268 	ASSERT(rq);
269 
270 	if (sflag != MODOPEN)
271 		return (EINVAL);
272 
273 	(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
274 			"cryptmodopen: opening module(PID %d)",
275 			ddi_get_pid()));
276 
277 	if (rq->q_ptr != NULL) {
278 		cmn_err(CE_WARN, "cryptmodopen: already opened");
279 		return (0);
280 	}
281 
282 	/*
283 	 * Allocate and initialize per-Stream structure.
284 	 */
285 	tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo),
286 						KM_SLEEP);
287 
288 	tmi->enc_data.method = CRYPT_METHOD_NONE;
289 	tmi->dec_data.method = CRYPT_METHOD_NONE;
290 
291 	tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY);
292 
293 	rq->q_ptr = WR(rq)->q_ptr = tmi;
294 
295 	sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC);
296 	md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC);
297 	sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1);
298 	md5_hash_mech = crypto_mech2id(SUN_CKM_MD5);
299 
300 	qprocson(rq);
301 
302 	return (0);
303 }
304 
305 /* ARGSUSED */
306 static int
cryptmodclose(queue_t * rq,int flags __unused,cred_t * credp __unused)307 cryptmodclose(queue_t *rq, int flags __unused, cred_t *credp __unused)
308 {
309 	struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr;
310 	ASSERT(tmi);
311 
312 	qprocsoff(rq);
313 
314 	cleanup(&tmi->enc_data);
315 	cleanup(&tmi->dec_data);
316 
317 	kmem_free(tmi, sizeof (struct tmodinfo));
318 	rq->q_ptr = WR(rq)->q_ptr = NULL;
319 
320 	return (0);
321 }
322 
323 /*
324  * plaintext_offset
325  *
326  * Calculate exactly how much space is needed in front
327  * of the "plaintext" in an mbuf so it can be positioned
328  * 1 time instead of potentially moving the data multiple
329  * times.
330  */
331 static int
plaintext_offset(struct cipher_data_t * cd)332 plaintext_offset(struct cipher_data_t *cd)
333 {
334 	int headspace = 0;
335 
336 	/* 4 byte length prepended to all RCMD msgs */
337 	if (ANY_RCMD_MODE(cd->option_mask))
338 		headspace += RCMD_LEN_SZ;
339 
340 	/* RCMD V2 mode adds an additional 4 byte plaintext length */
341 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2)
342 		headspace += RCMD_LEN_SZ;
343 
344 	/* Need extra space for hash and counfounder */
345 	switch (cd->method) {
346 	case CRYPT_METHOD_DES_CBC_NULL:
347 		headspace += null_hash.hash_len + null_hash.confound_len;
348 		break;
349 	case CRYPT_METHOD_DES_CBC_CRC:
350 		headspace += crc32_hash.hash_len + crc32_hash.confound_len;
351 		break;
352 	case CRYPT_METHOD_DES_CBC_MD5:
353 		headspace += md5_hash.hash_len + md5_hash.confound_len;
354 		break;
355 	case CRYPT_METHOD_DES3_CBC_SHA1:
356 		headspace += sha1_hash.confound_len;
357 		break;
358 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
359 		headspace += md5_hash.hash_len + md5_hash.confound_len;
360 		break;
361 	case CRYPT_METHOD_AES128:
362 	case CRYPT_METHOD_AES256:
363 		headspace += DEFAULT_AES_BLOCKLEN;
364 		break;
365 	case CRYPT_METHOD_DES_CFB:
366 	case CRYPT_METHOD_NONE:
367 		break;
368 	}
369 
370 	return (headspace);
371 }
372 /*
373  * encrypt_size
374  *
375  * Calculate the resulting size when encrypting 'plainlen' bytes
376  * of data.
377  */
378 static size_t
encrypt_size(struct cipher_data_t * cd,size_t plainlen)379 encrypt_size(struct cipher_data_t *cd, size_t plainlen)
380 {
381 	size_t cipherlen;
382 
383 	switch (cd->method) {
384 	case CRYPT_METHOD_DES_CBC_NULL:
385 		cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len +
386 					    plainlen, 8);
387 		break;
388 	case CRYPT_METHOD_DES_CBC_MD5:
389 		cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len +
390 					    md5_hash.confound_len +
391 					    plainlen, 8);
392 		break;
393 	case CRYPT_METHOD_DES_CBC_CRC:
394 		cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len +
395 					    crc32_hash.confound_len +
396 					    plainlen, 8);
397 		break;
398 	case CRYPT_METHOD_DES3_CBC_SHA1:
399 		cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len +
400 					    plainlen, 8) +
401 					    sha1_hash.hash_len;
402 		break;
403 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
404 		cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len +
405 				plainlen, 1) + md5_hash.hash_len;
406 		break;
407 	case CRYPT_METHOD_AES128:
408 	case CRYPT_METHOD_AES256:
409 		/* No roundup for AES-CBC-CTS */
410 		cipherlen = DEFAULT_AES_BLOCKLEN + plainlen +
411 			AES_TRUNCATED_HMAC_LEN;
412 		break;
413 	case CRYPT_METHOD_DES_CFB:
414 	case CRYPT_METHOD_NONE:
415 		cipherlen = plainlen;
416 		break;
417 	}
418 
419 	return (cipherlen);
420 }
421 
422 /*
423  * des_cfb_encrypt
424  *
425  * Encrypt the mblk data using DES with cipher feedback.
426  *
427  * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
428  * vector, D[n] is the nth chunk of 64 bits of data to encrypt
429  * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
430  * (decrypted) data, then:
431  *
432  *  V[0] = DES(V[i], key)
433  *  O[n] = D[n] <exclusive or > V[n]
434  *  V[n+1] = DES(O[n], key)
435  *
436  * The size of the message being encrypted does not change in this
437  * algorithm, num_bytes in == num_bytes out.
438  */
439 static mblk_t *
des_cfb_encrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp)440 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
441 {
442 	int savedbytes;
443 	char *iptr, *optr, *lastoutput;
444 
445 	lastoutput = optr = (char *)mp->b_rptr;
446 	iptr = (char *)mp->b_rptr;
447 	savedbytes = tmi->enc_data.bytes % CFB_BLKSZ;
448 
449 	while (iptr < (char *)mp->b_wptr) {
450 		/*
451 		 * Do DES-ECB.
452 		 * The first time this runs, the 'tmi->enc_data.block' will
453 		 * contain the initialization vector that should have been
454 		 * passed in with the SETUP ioctl.
455 		 *
456 		 * V[n] = DES(V[n-1], key)
457 		 */
458 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
459 			int retval = 0;
460 			retval = kef_crypt(&tmi->enc_data,
461 					tmi->enc_data.block,
462 					CRYPTO_DATA_RAW,
463 					tmi->enc_data.blocklen,
464 					CRYPT_ENCRYPT);
465 
466 			if (retval != CRYPTO_SUCCESS) {
467 #ifdef DEBUG
468 				cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt "
469 					"failed - error 0x%0x", retval);
470 #endif
471 				mp->b_datap->db_type = M_ERROR;
472 				mp->b_rptr = mp->b_datap->db_base;
473 				*mp->b_rptr = EIO;
474 				mp->b_wptr = mp->b_rptr + sizeof (char);
475 				freemsg(mp->b_cont);
476 				mp->b_cont = NULL;
477 				qreply(WR(q), mp);
478 				return (NULL);
479 			}
480 		}
481 
482 		/* O[n] = I[n] ^ V[n] */
483 		*(optr++) = *(iptr++) ^
484 		    tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ];
485 
486 		tmi->enc_data.bytes++;
487 		/*
488 		 * Feedback the encrypted output as the input to next DES call.
489 		 */
490 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
491 			char *dbptr = tmi->enc_data.block;
492 			/*
493 			 * Get the last bits of input from the previous
494 			 * msg block that we haven't yet used as feedback input.
495 			 */
496 			if (savedbytes > 0) {
497 				bcopy(tmi->enc_data.saveblock,
498 				    dbptr, (size_t)savedbytes);
499 				dbptr += savedbytes;
500 			}
501 
502 			/*
503 			 * Now copy the correct bytes from the current input
504 			 * stream and update the 'lastoutput' ptr
505 			 */
506 			bcopy(lastoutput, dbptr,
507 				(size_t)(CFB_BLKSZ - savedbytes));
508 
509 			lastoutput += (CFB_BLKSZ - savedbytes);
510 			savedbytes = 0;
511 		}
512 	}
513 	/*
514 	 * If there are bytes of input here that we need in the next
515 	 * block to build an ivec, save them off here.
516 	 */
517 	if (lastoutput < optr) {
518 		bcopy(lastoutput,
519 		    tmi->enc_data.saveblock + savedbytes,
520 		    (uint_t)(optr - lastoutput));
521 	}
522 	return (mp);
523 }
524 
525 /*
526  * des_cfb_decrypt
527  *
528  * Decrypt the data in the mblk using DES in Cipher Feedback mode
529  *
530  * # bytes in == # bytes out, no padding, confounding, or hashing
531  * is added.
532  *
533  */
534 static mblk_t *
des_cfb_decrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp)535 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
536 {
537 	uint_t len;
538 	uint_t savedbytes;
539 	char *iptr;
540 	char *lastinput;
541 	uint_t cp;
542 
543 	len = MBLKL(mp);
544 
545 	/* decrypted output goes into the new data buffer */
546 	lastinput = iptr = (char *)mp->b_rptr;
547 
548 	savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen;
549 
550 	/*
551 	 * Save the input CFB_BLKSZ bytes at a time.
552 	 * We are trying to decrypt in-place, but need to keep
553 	 * a small sliding window of encrypted text to be
554 	 * used to construct the feedback buffer.
555 	 */
556 	cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len :
557 		tmi->dec_data.blocklen - savedbytes);
558 
559 	bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp);
560 	savedbytes += cp;
561 
562 	lastinput += cp;
563 
564 	while (iptr < (char *)mp->b_wptr) {
565 		/*
566 		 * Do DES-ECB.
567 		 * The first time this runs, the 'tmi->dec_data.block' will
568 		 * contain the initialization vector that should have been
569 		 * passed in with the SETUP ioctl.
570 		 */
571 		if (!(tmi->dec_data.bytes % CFB_BLKSZ)) {
572 			int retval;
573 			retval = kef_crypt(&tmi->dec_data,
574 					tmi->dec_data.block,
575 					CRYPTO_DATA_RAW,
576 					tmi->dec_data.blocklen,
577 					CRYPT_ENCRYPT);
578 
579 			if (retval != CRYPTO_SUCCESS) {
580 #ifdef DEBUG
581 				cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt "
582 					"failed - status 0x%0x", retval);
583 #endif
584 				mp->b_datap->db_type = M_ERROR;
585 				mp->b_rptr = mp->b_datap->db_base;
586 				*mp->b_rptr = EIO;
587 				mp->b_wptr = mp->b_rptr + sizeof (char);
588 				freemsg(mp->b_cont);
589 				mp->b_cont = NULL;
590 				qreply(WR(q), mp);
591 				return (NULL);
592 			}
593 		}
594 
595 		/*
596 		 * To decrypt, XOR the input with the output from the DES call
597 		 */
598 		*(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes %
599 				CFB_BLKSZ];
600 
601 		tmi->dec_data.bytes++;
602 
603 		/*
604 		 * Feedback the encrypted input for next DES call.
605 		 */
606 		if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) {
607 			char *dbptr = tmi->dec_data.block;
608 			/*
609 			 * Get the last bits of input from the previous block
610 			 * that we haven't yet processed.
611 			 */
612 			if (savedbytes > 0) {
613 				bcopy(tmi->dec_data.saveblock,
614 				    dbptr, savedbytes);
615 				dbptr += savedbytes;
616 			}
617 
618 			savedbytes = 0;
619 
620 			/*
621 			 * This block makes sure that our local
622 			 * buffer of input data is full and can
623 			 * be accessed from the beginning.
624 			 */
625 			if (lastinput < (char *)mp->b_wptr) {
626 
627 				/* How many bytes are left in the mblk? */
628 				cp = (((char *)mp->b_wptr - lastinput) >
629 					tmi->dec_data.blocklen ?
630 					tmi->dec_data.blocklen :
631 					(char *)mp->b_wptr - lastinput);
632 
633 				/* copy what we need */
634 				bcopy(lastinput, tmi->dec_data.saveblock,
635 					cp);
636 
637 				lastinput += cp;
638 				savedbytes = cp;
639 			}
640 		}
641 	}
642 
643 	return (mp);
644 }
645 
646 /*
647  * crc32_calc
648  *
649  * Compute a CRC32 checksum on the input
650  */
651 static int
crc32_calc(uchar_t * buf,uchar_t * input,uint_t len)652 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len)
653 {
654 	uint32_t crc;
655 
656 	CRC32(crc, input, len, 0, crc32_table);
657 
658 	buf[0] = (uchar_t)(crc & 0xff);
659 	buf[1] = (uchar_t)((crc >> 8) & 0xff);
660 	buf[2] = (uchar_t)((crc >> 16) & 0xff);
661 	buf[3] = (uchar_t)((crc >> 24) & 0xff);
662 
663 	return (CRYPTO_SUCCESS);
664 }
665 
666 static int
kef_digest(crypto_mech_type_t digest_type,uchar_t * input,uint_t inlen,uchar_t * output,uint_t hashlen)667 kef_digest(crypto_mech_type_t digest_type,
668 	uchar_t *input, uint_t inlen,
669 	uchar_t *output, uint_t hashlen)
670 {
671 	iovec_t v1, v2;
672 	crypto_data_t d1, d2;
673 	crypto_mechanism_t mech;
674 	int rv;
675 
676 	mech.cm_type = digest_type;
677 	mech.cm_param = 0;
678 	mech.cm_param_len = 0;
679 
680 	v1.iov_base = (void *)input;
681 	v1.iov_len = inlen;
682 
683 	d1.cd_format = CRYPTO_DATA_RAW;
684 	d1.cd_offset = 0;
685 	d1.cd_length = v1.iov_len;
686 	d1.cd_raw = v1;
687 
688 	v2.iov_base = (void *)output;
689 	v2.iov_len = hashlen;
690 
691 	d2.cd_format = CRYPTO_DATA_RAW;
692 	d2.cd_offset = 0;
693 	d2.cd_length = v2.iov_len;
694 	d2.cd_raw = v2;
695 
696 	rv = crypto_digest(&mech, &d1, &d2, NULL);
697 
698 	return (rv);
699 }
700 
701 /*
702  * sha1_calc
703  *
704  * Get a SHA1 hash on the input data.
705  */
706 static int
sha1_calc(uchar_t * output,uchar_t * input,uint_t inlen)707 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen)
708 {
709 	int rv;
710 
711 	rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE);
712 
713 	return (rv);
714 }
715 
716 /*
717  * Get an MD5 hash on the input data.
718  * md5_calc
719  *
720  */
721 static int
md5_calc(uchar_t * output,uchar_t * input,uint_t inlen)722 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen)
723 {
724 	int rv;
725 
726 	rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE);
727 
728 	return (rv);
729 }
730 
731 /*
732  * nfold
733  * duplicate the functionality of the krb5_nfold function from
734  * the userland kerberos mech.
735  * This is needed to derive keys for use with 3DES/SHA1-HMAC
736  * ciphers.
737  */
738 static void
nfold(int inbits,uchar_t * in,int outbits,uchar_t * out)739 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out)
740 {
741 	int a, b, c, lcm;
742 	int byte, i, msbit;
743 
744 	inbits >>= 3;
745 	outbits >>= 3;
746 
747 	/* first compute lcm(n,k) */
748 	a = outbits;
749 	b = inbits;
750 
751 	while (b != 0) {
752 		c = b;
753 		b = a%b;
754 		a = c;
755 	}
756 
757 	lcm = outbits*inbits/a;
758 
759 	/* now do the real work */
760 
761 	bzero(out, outbits);
762 	byte = 0;
763 
764 	/*
765 	 * Compute the msbit in k which gets added into this byte
766 	 * first, start with the msbit in the first, unrotated byte
767 	 * then, for each byte, shift to the right for each repetition
768 	 * last, pick out the correct byte within that shifted repetition
769 	 */
770 	for (i = lcm-1; i >= 0; i--) {
771 		msbit = (((inbits<<3)-1)
772 			+(((inbits<<3)+13)*(i/inbits))
773 			+((inbits-(i%inbits))<<3)) %(inbits<<3);
774 
775 		/* pull out the byte value itself */
776 		byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)|
777 			(in[((inbits)-(msbit>>3))%inbits]))
778 			>>((msbit&7)+1))&0xff;
779 
780 		/* do the addition */
781 		byte += out[i%outbits];
782 		out[i%outbits] = byte&0xff;
783 
784 		byte >>= 8;
785 	}
786 
787 	/* if there's a carry bit left over, add it back in */
788 	if (byte) {
789 		for (i = outbits-1; i >= 0; i--) {
790 			/* do the addition */
791 			byte += out[i];
792 			out[i] = byte&0xff;
793 
794 			/* keep around the carry bit, if any */
795 			byte >>= 8;
796 		}
797 	}
798 }
799 
800 #define	smask(step) ((1<<step)-1)
801 #define	pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
802 #define	parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
803 
804 /*
805  * Duplicate the functionality of the "dk_derive_key" function
806  * in the Kerberos mechanism.
807  */
808 static int
derive_key(struct cipher_data_t * cdata,uchar_t * constdata,int constlen,char * dkey,int keybytes,int blocklen)809 derive_key(struct cipher_data_t *cdata, uchar_t *constdata,
810 	int constlen, char *dkey, int keybytes,
811 	int blocklen)
812 {
813 	int rv = 0;
814 	int n = 0, i;
815 	char *inblock;
816 	char *rawkey;
817 	char *zeroblock;
818 	char *saveblock;
819 
820 	inblock = kmem_zalloc(blocklen, KM_SLEEP);
821 	rawkey = kmem_zalloc(keybytes, KM_SLEEP);
822 	zeroblock = kmem_zalloc(blocklen, KM_SLEEP);
823 
824 	if (constlen == blocklen)
825 		bcopy(constdata, inblock, blocklen);
826 	else
827 		nfold(constlen * 8, constdata,
828 			blocklen * 8, (uchar_t *)inblock);
829 
830 	/*
831 	 * zeroblock is an IV of all 0's.
832 	 *
833 	 * The "block" section of the cdata record is used as the
834 	 * IV for crypto operations in the kef_crypt function.
835 	 *
836 	 * We use 'block' as a generic IV data buffer because it
837 	 * is attached to the stream state data and thus can
838 	 * be used to hold information that must carry over
839 	 * from processing of one mblk to another.
840 	 *
841 	 * Here, we save the current IV and replace it with
842 	 * and empty IV (all 0's) for use when deriving the
843 	 * keys.  Once the key derivation is done, we swap the
844 	 * old IV back into place.
845 	 */
846 	saveblock = cdata->block;
847 	cdata->block = zeroblock;
848 
849 	while (n < keybytes) {
850 		rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW,
851 				blocklen, CRYPT_ENCRYPT);
852 		if (rv != CRYPTO_SUCCESS) {
853 			/* put the original IV block back in place */
854 			cdata->block = saveblock;
855 			cmn_err(CE_WARN, "failed to derive a key: %0x", rv);
856 			goto cleanup;
857 		}
858 
859 		if (keybytes - n < blocklen) {
860 			bcopy(inblock, rawkey+n, (keybytes-n));
861 			break;
862 		}
863 		bcopy(inblock, rawkey+n, blocklen);
864 		n += blocklen;
865 	}
866 	/* put the original IV block back in place */
867 	cdata->block = saveblock;
868 
869 	/* finally, make the key */
870 	if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) {
871 		/*
872 		 * 3DES key derivation requires that we make sure the
873 		 * key has the proper parity.
874 		 */
875 		for (i = 0; i < 3; i++) {
876 			bcopy(rawkey+(i*7), dkey+(i*8), 7);
877 
878 			/* 'dkey' is our derived key output buffer */
879 			dkey[i*8+7] = (((dkey[i*8]&1)<<1) |
880 					((dkey[i*8+1]&1)<<2) |
881 					((dkey[i*8+2]&1)<<3) |
882 					((dkey[i*8+3]&1)<<4) |
883 					((dkey[i*8+4]&1)<<5) |
884 					((dkey[i*8+5]&1)<<6) |
885 					((dkey[i*8+6]&1)<<7));
886 
887 			for (n = 0; n < 8; n++) {
888 				dkey[i*8 + n] &=  0xfe;
889 				dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]);
890 			}
891 		}
892 	} else if (IS_AES_METHOD(cdata->method)) {
893 		bcopy(rawkey, dkey, keybytes);
894 	}
895 cleanup:
896 	kmem_free(inblock, blocklen);
897 	kmem_free(zeroblock, blocklen);
898 	kmem_free(rawkey, keybytes);
899 	return (rv);
900 }
901 
902 /*
903  * create_derived_keys
904  *
905  * Algorithm for deriving a new key and an HMAC key
906  * before computing the 3DES-SHA1-HMAC operation on the plaintext
907  * This algorithm matches the work done by Kerberos mechanism
908  * in userland.
909  */
910 static int
create_derived_keys(struct cipher_data_t * cdata,uint32_t usage,crypto_key_t * enckey,crypto_key_t * hmackey)911 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage,
912 		crypto_key_t *enckey, crypto_key_t *hmackey)
913 {
914 	uchar_t constdata[K5CLENGTH];
915 	int keybytes;
916 	int rv;
917 
918 	constdata[0] = (usage>>24)&0xff;
919 	constdata[1] = (usage>>16)&0xff;
920 	constdata[2] = (usage>>8)&0xff;
921 	constdata[3] = usage & 0xff;
922 	/* Use "0xAA" for deriving encryption key */
923 	constdata[4] = 0xAA; /* from MIT Kerberos code */
924 
925 	enckey->ck_length = cdata->keylen * 8;
926 	enckey->ck_format = CRYPTO_KEY_RAW;
927 	enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
928 
929 	switch (cdata->method) {
930 		case CRYPT_METHOD_DES_CFB:
931 		case CRYPT_METHOD_DES_CBC_NULL:
932 		case CRYPT_METHOD_DES_CBC_MD5:
933 		case CRYPT_METHOD_DES_CBC_CRC:
934 			keybytes = 8;
935 			break;
936 		case CRYPT_METHOD_DES3_CBC_SHA1:
937 			keybytes = CRYPT_DES3_KEYBYTES;
938 			break;
939 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
940 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
941 			keybytes = CRYPT_ARCFOUR_KEYBYTES;
942 			break;
943 		case CRYPT_METHOD_AES128:
944 			keybytes = CRYPT_AES128_KEYBYTES;
945 			break;
946 		case CRYPT_METHOD_AES256:
947 			keybytes = CRYPT_AES256_KEYBYTES;
948 			break;
949 	}
950 
951 	/* derive main crypto key */
952 	rv = derive_key(cdata, constdata, sizeof (constdata),
953 		enckey->ck_data, keybytes, cdata->blocklen);
954 
955 	if (rv == CRYPTO_SUCCESS) {
956 
957 		/* Use "0x55" for deriving mac key */
958 		constdata[4] = 0x55;
959 
960 		hmackey->ck_length = cdata->keylen * 8;
961 		hmackey->ck_format = CRYPTO_KEY_RAW;
962 		hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
963 
964 		rv = derive_key(cdata, constdata, sizeof (constdata),
965 				hmackey->ck_data, keybytes,
966 				cdata->blocklen);
967 	} else {
968 		cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv);
969 	}
970 
971 	return (rv);
972 }
973 
974 /*
975  * Compute 3-DES crypto and HMAC.
976  */
977 static int
kef_decr_hmac(struct cipher_data_t * cdata,mblk_t * mp,int length,char * hmac,int hmaclen)978 kef_decr_hmac(struct cipher_data_t *cdata,
979 	mblk_t *mp, int length,
980 	char *hmac, int hmaclen)
981 {
982 	int rv = CRYPTO_FAILED;
983 
984 	crypto_mechanism_t encr_mech;
985 	crypto_mechanism_t mac_mech;
986 	crypto_data_t dd;
987 	crypto_data_t mac;
988 	iovec_t v1;
989 
990 	ASSERT(cdata != NULL);
991 	ASSERT(mp != NULL);
992 	ASSERT(hmac != NULL);
993 
994 	bzero(&dd, sizeof (dd));
995 	dd.cd_format = CRYPTO_DATA_MBLK;
996 	dd.cd_offset = 0;
997 	dd.cd_length = length;
998 	dd.cd_mp = mp;
999 
1000 	v1.iov_base = hmac;
1001 	v1.iov_len = hmaclen;
1002 
1003 	mac.cd_format = CRYPTO_DATA_RAW;
1004 	mac.cd_offset = 0;
1005 	mac.cd_length = hmaclen;
1006 	mac.cd_raw = v1;
1007 
1008 	/*
1009 	 * cdata->block holds the IVEC
1010 	 */
1011 	encr_mech.cm_type = cdata->mech_type;
1012 	encr_mech.cm_param = cdata->block;
1013 
1014 	if (cdata->block != NULL)
1015 		encr_mech.cm_param_len = cdata->blocklen;
1016 	else
1017 		encr_mech.cm_param_len = 0;
1018 
1019 	rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key,
1020 			cdata->enc_tmpl, NULL, NULL);
1021 	if (rv != CRYPTO_SUCCESS) {
1022 		cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv);
1023 		return (rv);
1024 	}
1025 
1026 	mac_mech.cm_type = sha1_hmac_mech;
1027 	mac_mech.cm_param = NULL;
1028 	mac_mech.cm_param_len = 0;
1029 
1030 	/*
1031 	 * Compute MAC of the plaintext decrypted above.
1032 	 */
1033 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1034 			cdata->hmac_tmpl, &mac, NULL);
1035 
1036 	if (rv != CRYPTO_SUCCESS) {
1037 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1038 	}
1039 
1040 	return (rv);
1041 }
1042 
1043 /*
1044  * Compute 3-DES crypto and HMAC.
1045  */
1046 static int
kef_encr_hmac(struct cipher_data_t * cdata,mblk_t * mp,int length,char * hmac,int hmaclen)1047 kef_encr_hmac(struct cipher_data_t *cdata,
1048 	mblk_t *mp, int length,
1049 	char *hmac, int hmaclen)
1050 {
1051 	int rv = CRYPTO_FAILED;
1052 
1053 	crypto_mechanism_t encr_mech;
1054 	crypto_mechanism_t mac_mech;
1055 	crypto_data_t dd;
1056 	crypto_data_t mac;
1057 	iovec_t v1;
1058 
1059 	ASSERT(cdata != NULL);
1060 	ASSERT(mp != NULL);
1061 	ASSERT(hmac != NULL);
1062 
1063 	bzero(&dd, sizeof (dd));
1064 	dd.cd_format = CRYPTO_DATA_MBLK;
1065 	dd.cd_offset = 0;
1066 	dd.cd_length = length;
1067 	dd.cd_mp = mp;
1068 
1069 	v1.iov_base = hmac;
1070 	v1.iov_len = hmaclen;
1071 
1072 	mac.cd_format = CRYPTO_DATA_RAW;
1073 	mac.cd_offset = 0;
1074 	mac.cd_length = hmaclen;
1075 	mac.cd_raw = v1;
1076 
1077 	/*
1078 	 * cdata->block holds the IVEC
1079 	 */
1080 	encr_mech.cm_type = cdata->mech_type;
1081 	encr_mech.cm_param = cdata->block;
1082 
1083 	if (cdata->block != NULL)
1084 		encr_mech.cm_param_len = cdata->blocklen;
1085 	else
1086 		encr_mech.cm_param_len = 0;
1087 
1088 	mac_mech.cm_type = sha1_hmac_mech;
1089 	mac_mech.cm_param = NULL;
1090 	mac_mech.cm_param_len = 0;
1091 
1092 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1093 			cdata->hmac_tmpl, &mac, NULL);
1094 
1095 	if (rv != CRYPTO_SUCCESS) {
1096 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1097 		return (rv);
1098 	}
1099 
1100 	rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key,
1101 			cdata->enc_tmpl, NULL, NULL);
1102 	if (rv != CRYPTO_SUCCESS) {
1103 		cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv);
1104 	}
1105 
1106 	return (rv);
1107 }
1108 
1109 /*
1110  * kef_crypt
1111  *
1112  * Use the Kernel encryption framework to provide the
1113  * crypto operations for the indicated data.
1114  */
1115 static int
kef_crypt(struct cipher_data_t * cdata,void * indata,crypto_data_format_t fmt,size_t length,int mode)1116 kef_crypt(struct cipher_data_t *cdata,
1117 	void *indata, crypto_data_format_t fmt,
1118 	size_t length, int mode)
1119 {
1120 	int rv = CRYPTO_FAILED;
1121 
1122 	crypto_mechanism_t mech;
1123 	crypto_key_t crkey;
1124 	iovec_t v1;
1125 	crypto_data_t d1;
1126 
1127 	ASSERT(cdata != NULL);
1128 	ASSERT(indata != NULL);
1129 	ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK);
1130 
1131 	bzero(&crkey, sizeof (crkey));
1132 	bzero(&d1, sizeof (d1));
1133 
1134 	crkey.ck_format = CRYPTO_KEY_RAW;
1135 	crkey.ck_data =  cdata->key;
1136 
1137 	/* keys are measured in bits, not bytes, so multiply by 8 */
1138 	crkey.ck_length = cdata->keylen * 8;
1139 
1140 	if (fmt == CRYPTO_DATA_RAW) {
1141 		v1.iov_base = (char *)indata;
1142 		v1.iov_len = length;
1143 	}
1144 
1145 	d1.cd_format = fmt;
1146 	d1.cd_offset = 0;
1147 	d1.cd_length = length;
1148 	if (fmt == CRYPTO_DATA_RAW)
1149 		d1.cd_raw = v1;
1150 	else if (fmt == CRYPTO_DATA_MBLK)
1151 		d1.cd_mp = (mblk_t *)indata;
1152 
1153 	mech.cm_type = cdata->mech_type;
1154 	mech.cm_param = cdata->block;
1155 	/*
1156 	 * cdata->block holds the IVEC
1157 	 */
1158 	if (cdata->block != NULL)
1159 		mech.cm_param_len = cdata->blocklen;
1160 	else
1161 		mech.cm_param_len = 0;
1162 
1163 	/*
1164 	 * encrypt and decrypt in-place
1165 	 */
1166 	if (mode == CRYPT_ENCRYPT)
1167 		rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1168 	else
1169 		rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1170 
1171 	if (rv != CRYPTO_SUCCESS) {
1172 		cmn_err(CE_WARN, "%s returned error %08x",
1173 			(mode == CRYPT_ENCRYPT ? "crypto_encrypt" :
1174 				"crypto_decrypt"), rv);
1175 		return (CRYPTO_FAILED);
1176 	}
1177 
1178 	return (rv);
1179 }
1180 
1181 static int
do_hmac(crypto_mech_type_t mech,crypto_key_t * key,char * data,int datalen,char * hmac,int hmaclen)1182 do_hmac(crypto_mech_type_t mech,
1183 	crypto_key_t *key,
1184 	char *data, int datalen,
1185 	char *hmac, int hmaclen)
1186 {
1187 	int rv = 0;
1188 	crypto_mechanism_t mac_mech;
1189 	crypto_data_t dd;
1190 	crypto_data_t mac;
1191 	iovec_t vdata, vmac;
1192 
1193 	mac_mech.cm_type = mech;
1194 	mac_mech.cm_param = NULL;
1195 	mac_mech.cm_param_len = 0;
1196 
1197 	vdata.iov_base = data;
1198 	vdata.iov_len = datalen;
1199 
1200 	bzero(&dd, sizeof (dd));
1201 	dd.cd_format = CRYPTO_DATA_RAW;
1202 	dd.cd_offset = 0;
1203 	dd.cd_length = datalen;
1204 	dd.cd_raw = vdata;
1205 
1206 	vmac.iov_base = hmac;
1207 	vmac.iov_len = hmaclen;
1208 
1209 	mac.cd_format = CRYPTO_DATA_RAW;
1210 	mac.cd_offset = 0;
1211 	mac.cd_length = hmaclen;
1212 	mac.cd_raw = vmac;
1213 
1214 	/*
1215 	 * Compute MAC of the plaintext decrypted above.
1216 	 */
1217 	rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL);
1218 
1219 	if (rv != CRYPTO_SUCCESS) {
1220 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1221 	}
1222 
1223 	return (rv);
1224 }
1225 
1226 #define	XOR_BLOCK(src, dst) \
1227 	(dst)[0] ^= (src)[0]; \
1228 	(dst)[1] ^= (src)[1]; \
1229 	(dst)[2] ^= (src)[2]; \
1230 	(dst)[3] ^= (src)[3]; \
1231 	(dst)[4] ^= (src)[4]; \
1232 	(dst)[5] ^= (src)[5]; \
1233 	(dst)[6] ^= (src)[6]; \
1234 	(dst)[7] ^= (src)[7]; \
1235 	(dst)[8] ^= (src)[8]; \
1236 	(dst)[9] ^= (src)[9]; \
1237 	(dst)[10] ^= (src)[10]; \
1238 	(dst)[11] ^= (src)[11]; \
1239 	(dst)[12] ^= (src)[12]; \
1240 	(dst)[13] ^= (src)[13]; \
1241 	(dst)[14] ^= (src)[14]; \
1242 	(dst)[15] ^= (src)[15]
1243 
1244 #define	xorblock(x, y) XOR_BLOCK(y, x)
1245 
1246 static int
aes_cbc_cts_encrypt(struct tmodinfo * tmi,uchar_t * plain,size_t length)1247 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length)
1248 {
1249 	int result = CRYPTO_SUCCESS;
1250 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1251 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1252 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1253 	int nblocks = 0, blockno;
1254 	crypto_data_t ct, pt;
1255 	crypto_mechanism_t mech;
1256 
1257 	mech.cm_type = tmi->enc_data.mech_type;
1258 	if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) {
1259 		bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1260 	} else {
1261 		bzero(tmp, sizeof (tmp));
1262 	}
1263 	mech.cm_param = NULL;
1264 	mech.cm_param_len = 0;
1265 
1266 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1267 
1268 	bzero(&ct, sizeof (crypto_data_t));
1269 	bzero(&pt, sizeof (crypto_data_t));
1270 
1271 	if (nblocks == 1) {
1272 		pt.cd_format = CRYPTO_DATA_RAW;
1273 		pt.cd_length = length;
1274 		pt.cd_raw.iov_base = (char *)plain;
1275 		pt.cd_raw.iov_len = length;
1276 
1277 		result = crypto_encrypt(&mech, &pt,
1278 			&tmi->enc_data.d_encr_key, NULL, NULL, NULL);
1279 
1280 		if (result != CRYPTO_SUCCESS) {
1281 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1282 				"crypto_encrypt failed: %0x", result);
1283 		}
1284 	} else {
1285 		size_t nleft;
1286 
1287 		ct.cd_format = CRYPTO_DATA_RAW;
1288 		ct.cd_offset = 0;
1289 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1290 
1291 		pt.cd_format = CRYPTO_DATA_RAW;
1292 		pt.cd_offset = 0;
1293 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1294 
1295 		result = crypto_encrypt_init(&mech,
1296 				&tmi->enc_data.d_encr_key,
1297 				tmi->enc_data.enc_tmpl,
1298 				&tmi->enc_data.ctx, NULL);
1299 
1300 		if (result != CRYPTO_SUCCESS) {
1301 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1302 				"crypto_encrypt_init failed: %0x", result);
1303 			goto cleanup;
1304 		}
1305 
1306 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1307 			xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN);
1308 
1309 			pt.cd_raw.iov_base = (char *)tmp;
1310 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1311 
1312 			ct.cd_raw.iov_base = (char *)plain +
1313 				blockno * DEFAULT_AES_BLOCKLEN;
1314 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1315 
1316 			result = crypto_encrypt_update(tmi->enc_data.ctx,
1317 					&pt, &ct, NULL);
1318 
1319 			if (result != CRYPTO_SUCCESS) {
1320 				cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1321 					"crypto_encrypt_update failed: %0x",
1322 					result);
1323 				goto cleanup;
1324 			}
1325 			/* copy result over original bytes */
1326 			/* make another copy for the next XOR step */
1327 			bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN,
1328 				tmp, DEFAULT_AES_BLOCKLEN);
1329 		}
1330 		/* XOR cipher text from n-3 with plain text from n-2 */
1331 		xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1332 
1333 		pt.cd_raw.iov_base = (char *)tmp;
1334 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1335 
1336 		ct.cd_raw.iov_base = (char *)tmp2;
1337 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1338 
1339 		/* encrypt XOR-ed block N-2 */
1340 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1341 				&pt, &ct, NULL);
1342 		if (result != CRYPTO_SUCCESS) {
1343 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1344 				"crypto_encrypt_update(2) failed: %0x",
1345 				result);
1346 			goto cleanup;
1347 		}
1348 		nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN;
1349 
1350 		bzero(tmp3, sizeof (tmp3));
1351 		/* Save final plaintext bytes from n-1 */
1352 		bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1353 			nleft);
1354 
1355 		/* Overwrite n-1 with cipher text from n-2 */
1356 		bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1357 			nleft);
1358 
1359 		bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN);
1360 		/* XOR cipher text from n-1 with plain text from n-1 */
1361 		xorblock(tmp, tmp3);
1362 
1363 		pt.cd_raw.iov_base = (char *)tmp;
1364 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1365 
1366 		ct.cd_raw.iov_base = (char *)tmp2;
1367 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1368 
1369 		/* encrypt block N-2 */
1370 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1371 			&pt, &ct, NULL);
1372 
1373 		if (result != CRYPTO_SUCCESS) {
1374 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1375 				"crypto_encrypt_update(3) failed: %0x",
1376 				result);
1377 			goto cleanup;
1378 		}
1379 
1380 		bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1381 			DEFAULT_AES_BLOCKLEN);
1382 
1383 
1384 		ct.cd_raw.iov_base = (char *)tmp2;
1385 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1386 
1387 		/*
1388 		 * Ignore the output on the final step.
1389 		 */
1390 		result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL);
1391 		if (result != CRYPTO_SUCCESS) {
1392 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1393 				"crypto_encrypt_final(3) failed: %0x",
1394 				result);
1395 		}
1396 		tmi->enc_data.ctx = NULL;
1397 	}
1398 cleanup:
1399 	bzero(tmp, sizeof (tmp));
1400 	bzero(tmp2, sizeof (tmp));
1401 	bzero(tmp3, sizeof (tmp));
1402 	bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
1403 	return (result);
1404 }
1405 
1406 static int
aes_cbc_cts_decrypt(struct tmodinfo * tmi,uchar_t * buff,size_t length)1407 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length)
1408 {
1409 	int result = CRYPTO_SUCCESS;
1410 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1411 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1412 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1413 	int nblocks = 0, blockno;
1414 	crypto_data_t ct, pt;
1415 	crypto_mechanism_t mech;
1416 
1417 	mech.cm_type = tmi->enc_data.mech_type;
1418 
1419 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1420 	    tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) {
1421 		bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1422 	} else {
1423 		bzero(tmp, sizeof (tmp));
1424 	}
1425 	mech.cm_param_len = 0;
1426 	mech.cm_param = NULL;
1427 
1428 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1429 
1430 	bzero(&pt, sizeof (pt));
1431 	bzero(&ct, sizeof (ct));
1432 
1433 	if (nblocks == 1) {
1434 		ct.cd_format = CRYPTO_DATA_RAW;
1435 		ct.cd_length = length;
1436 		ct.cd_raw.iov_base = (char *)buff;
1437 		ct.cd_raw.iov_len = length;
1438 
1439 		result = crypto_decrypt(&mech, &ct,
1440 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1441 
1442 		if (result != CRYPTO_SUCCESS) {
1443 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1444 				"crypto_decrypt failed: %0x", result);
1445 			goto cleanup;
1446 		}
1447 	} else {
1448 		ct.cd_format = CRYPTO_DATA_RAW;
1449 		ct.cd_offset = 0;
1450 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1451 
1452 		pt.cd_format = CRYPTO_DATA_RAW;
1453 		pt.cd_offset = 0;
1454 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1455 
1456 		result = crypto_decrypt_init(&mech,
1457 				&tmi->dec_data.d_encr_key,
1458 				tmi->dec_data.enc_tmpl,
1459 				&tmi->dec_data.ctx, NULL);
1460 
1461 		if (result != CRYPTO_SUCCESS) {
1462 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1463 				"crypto_decrypt_init failed: %0x", result);
1464 			goto cleanup;
1465 		}
1466 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1467 			ct.cd_raw.iov_base = (char *)buff +
1468 				(blockno * DEFAULT_AES_BLOCKLEN);
1469 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1470 
1471 			pt.cd_raw.iov_base = (char *)tmp2;
1472 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1473 
1474 			/*
1475 			 * Save the input to the decrypt so it can
1476 			 * be used later for an XOR operation
1477 			 */
1478 			bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN),
1479 				tmi->dec_data.block, DEFAULT_AES_BLOCKLEN);
1480 
1481 			result = crypto_decrypt_update(tmi->dec_data.ctx,
1482 					&ct, &pt, NULL);
1483 			if (result != CRYPTO_SUCCESS) {
1484 				cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1485 					"crypto_decrypt_update(1) error - "
1486 					"result = 0x%08x", result);
1487 				goto cleanup;
1488 			}
1489 			xorblock(tmp2, tmp);
1490 			bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN,
1491 				DEFAULT_AES_BLOCKLEN);
1492 			/*
1493 			 * The original cipher text is used as the xor
1494 			 * for the next block, save it here.
1495 			 */
1496 			bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN);
1497 		}
1498 		ct.cd_raw.iov_base = (char *)buff +
1499 			((nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1500 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1501 		pt.cd_raw.iov_base = (char *)tmp2;
1502 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1503 
1504 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1505 				&ct, &pt, NULL);
1506 		if (result != CRYPTO_SUCCESS) {
1507 			cmn_err(CE_WARN,
1508 				"aes_cbc_cts_decrypt: "
1509 				"crypto_decrypt_update(2) error -"
1510 				" result = 0x%08x", result);
1511 			goto cleanup;
1512 		}
1513 		bzero(tmp3, sizeof (tmp3));
1514 		bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1515 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1516 
1517 		xorblock(tmp2, tmp3);
1518 		bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1519 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1520 
1521 		/* 2nd to last block ... */
1522 		bcopy(tmp3, tmp2,
1523 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1524 
1525 		ct.cd_raw.iov_base = (char *)tmp2;
1526 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1527 		pt.cd_raw.iov_base = (char *)tmp3;
1528 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1529 
1530 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1531 				&ct, &pt, NULL);
1532 		if (result != CRYPTO_SUCCESS) {
1533 			cmn_err(CE_WARN,
1534 				"aes_cbc_cts_decrypt: "
1535 				"crypto_decrypt_update(3) error - "
1536 				"result = 0x%08x", result);
1537 			goto cleanup;
1538 		}
1539 		xorblock(tmp3, tmp);
1540 
1541 
1542 		/* Finally, update the 2nd to last block and we are done. */
1543 		bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1544 			DEFAULT_AES_BLOCKLEN);
1545 
1546 		/* Do Final step, but ignore output */
1547 		pt.cd_raw.iov_base = (char *)tmp2;
1548 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1549 		result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL);
1550 		if (result != CRYPTO_SUCCESS) {
1551 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1552 				"crypto_decrypt_final error - "
1553 				"result = 0x%0x", result);
1554 		}
1555 		tmi->dec_data.ctx = NULL;
1556 	}
1557 
1558 cleanup:
1559 	bzero(tmp, sizeof (tmp));
1560 	bzero(tmp2, sizeof (tmp));
1561 	bzero(tmp3, sizeof (tmp));
1562 	bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
1563 	return (result);
1564 }
1565 
1566 /*
1567  * AES decrypt
1568  *
1569  * format of ciphertext when using AES
1570  *  +-------------+------------+------------+
1571  *  |  confounder | msg-data   |  hmac      |
1572  *  +-------------+------------+------------+
1573  */
1574 static mblk_t *
aes_decrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)1575 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1576 	hash_info_t *hash)
1577 {
1578 	int result;
1579 	size_t enclen;
1580 	size_t inlen;
1581 	uchar_t hmacbuff[64];
1582 	uchar_t tmpiv[DEFAULT_AES_BLOCKLEN];
1583 
1584 	inlen = (size_t)MBLKL(mp);
1585 
1586 	enclen = inlen - AES_TRUNCATED_HMAC_LEN;
1587 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1588 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) {
1589 		int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) /
1590 				DEFAULT_AES_BLOCKLEN;
1591 		bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2),
1592 			tmpiv, DEFAULT_AES_BLOCKLEN);
1593 	}
1594 
1595 	/* AES Decrypt */
1596 	result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen);
1597 
1598 	if (result != CRYPTO_SUCCESS) {
1599 		cmn_err(CE_WARN,
1600 			"aes_decrypt:  aes_cbc_cts_decrypt "
1601 			"failed - error %0x", result);
1602 		goto cleanup;
1603 	}
1604 
1605 	/* Verify the HMAC */
1606 	result = do_hmac(sha1_hmac_mech,
1607 			&tmi->dec_data.d_hmac_key,
1608 			(char *)mp->b_rptr, enclen,
1609 			(char *)hmacbuff, hash->hash_len);
1610 
1611 	if (result != CRYPTO_SUCCESS) {
1612 		cmn_err(CE_WARN,
1613 			"aes_decrypt:  do_hmac failed - error %0x", result);
1614 		goto cleanup;
1615 	}
1616 
1617 	if (bcmp(hmacbuff, mp->b_rptr + enclen,
1618 		AES_TRUNCATED_HMAC_LEN) != 0) {
1619 		result = -1;
1620 		cmn_err(CE_WARN, "aes_decrypt: checksum verification failed");
1621 		goto cleanup;
1622 	}
1623 
1624 	/* truncate the mblk at the end of the decrypted text */
1625 	mp->b_wptr = mp->b_rptr + enclen;
1626 
1627 	/* Adjust the beginning of the buffer to skip the confounder */
1628 	mp->b_rptr += DEFAULT_AES_BLOCKLEN;
1629 
1630 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1631 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0)
1632 		bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN);
1633 
1634 cleanup:
1635 	if (result != CRYPTO_SUCCESS) {
1636 		mp->b_datap->db_type = M_ERROR;
1637 		mp->b_rptr = mp->b_datap->db_base;
1638 		*mp->b_rptr = EIO;
1639 		mp->b_wptr = mp->b_rptr + sizeof (char);
1640 		freemsg(mp->b_cont);
1641 		mp->b_cont = NULL;
1642 		qreply(WR(q), mp);
1643 		return (NULL);
1644 	}
1645 	return (mp);
1646 }
1647 
1648 /*
1649  * AES encrypt
1650  *
1651  * format of ciphertext when using AES
1652  *  +-------------+------------+------------+
1653  *  |  confounder | msg-data   |  hmac      |
1654  *  +-------------+------------+------------+
1655  */
1656 static mblk_t *
aes_encrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)1657 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1658 	hash_info_t *hash)
1659 {
1660 	int result;
1661 	size_t cipherlen;
1662 	size_t inlen;
1663 	uchar_t hmacbuff[64];
1664 
1665 	inlen = (size_t)MBLKL(mp);
1666 
1667 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
1668 
1669 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1670 
1671 	/*
1672 	 * Shift the rptr back enough to insert the confounder.
1673 	 */
1674 	mp->b_rptr -= DEFAULT_AES_BLOCKLEN;
1675 
1676 	/* Get random data for confounder */
1677 	(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
1678 		DEFAULT_AES_BLOCKLEN);
1679 
1680 	/*
1681 	 * Because we encrypt in-place, we need to calculate
1682 	 * the HMAC of the plaintext now, then stick it on
1683 	 * the end of the ciphertext down below.
1684 	 */
1685 	result = do_hmac(sha1_hmac_mech,
1686 			&tmi->enc_data.d_hmac_key,
1687 			(char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen,
1688 			(char *)hmacbuff, hash->hash_len);
1689 
1690 	if (result != CRYPTO_SUCCESS) {
1691 		cmn_err(CE_WARN, "aes_encrypt:  do_hmac failed - error %0x",
1692 			result);
1693 		goto cleanup;
1694 	}
1695 	/* Encrypt using AES-CBC-CTS */
1696 	result = aes_cbc_cts_encrypt(tmi, mp->b_rptr,
1697 		inlen + DEFAULT_AES_BLOCKLEN);
1698 
1699 	if (result != CRYPTO_SUCCESS) {
1700 		cmn_err(CE_WARN, "aes_encrypt:  aes_cbc_cts_encrypt "
1701 			"failed - error %0x", result);
1702 		goto cleanup;
1703 	}
1704 
1705 	/* copy the truncated HMAC to the end of the mblk */
1706 	bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen,
1707 		AES_TRUNCATED_HMAC_LEN);
1708 
1709 	mp->b_wptr = mp->b_rptr + cipherlen;
1710 
1711 	/*
1712 	 * The final block of cipher text (not the HMAC) is used
1713 	 * as the next IV.
1714 	 */
1715 	if (tmi->enc_data.ivec_usage != IVEC_NEVER &&
1716 	    tmi->enc_data.ivec != NULL) {
1717 		int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) /
1718 			DEFAULT_AES_BLOCKLEN;
1719 
1720 		bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1721 			tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN);
1722 	}
1723 
1724 cleanup:
1725 	if (result != CRYPTO_SUCCESS) {
1726 		mp->b_datap->db_type = M_ERROR;
1727 		mp->b_rptr = mp->b_datap->db_base;
1728 		*mp->b_rptr = EIO;
1729 		mp->b_wptr = mp->b_rptr + sizeof (char);
1730 		freemsg(mp->b_cont);
1731 		mp->b_cont = NULL;
1732 		qreply(WR(q), mp);
1733 		return (NULL);
1734 	}
1735 	return (mp);
1736 }
1737 
1738 /*
1739  * ARCFOUR-HMAC-MD5 decrypt
1740  *
1741  * format of ciphertext when using ARCFOUR-HMAC-MD5
1742  *  +-----------+------------+------------+
1743  *  |  hmac     | confounder |  msg-data  |
1744  *  +-----------+------------+------------+
1745  *
1746  */
1747 static mblk_t *
arcfour_hmac_md5_decrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)1748 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1749 			hash_info_t *hash)
1750 {
1751 	int result;
1752 	size_t cipherlen;
1753 	size_t inlen;
1754 	size_t saltlen;
1755 	crypto_key_t k1, k2;
1756 	crypto_data_t indata;
1757 	iovec_t v1;
1758 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1759 				0xab, 0xab, 0xab, 0xab };
1760 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1761 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1762 	uchar_t cksum[MD5_HASHSIZE];
1763 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1764 	crypto_mechanism_t mech;
1765 	int usage;
1766 
1767 	bzero(&indata, sizeof (indata));
1768 
1769 	/* The usage constant is 1026 for all "old" rcmd mode operations */
1770 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1771 		usage = RCMDV1_USAGE;
1772 	else
1773 		usage = ARCFOUR_DECRYPT_USAGE;
1774 
1775 	/*
1776 	 * The size at this point should be the size of
1777 	 * all the plaintext plus the optional plaintext length
1778 	 * needed for RCMD V2 mode.  There should also be room
1779 	 * at the head of the mblk for the confounder and hash info.
1780 	 */
1781 	inlen = (size_t)MBLKL(mp);
1782 
1783 	/*
1784 	 * The cipherlen does not include the HMAC at the
1785 	 * head of the buffer.
1786 	 */
1787 	cipherlen = inlen - hash->hash_len;
1788 
1789 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1790 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1791 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
1792 		saltdata[9] = 0;
1793 		saltdata[10] = usage & 0xff;
1794 		saltdata[11] = (usage >> 8) & 0xff;
1795 		saltdata[12] = (usage >> 16) & 0xff;
1796 		saltdata[13] = (usage >> 24) & 0xff;
1797 		saltlen = 14;
1798 	} else {
1799 		saltdata[0] = usage & 0xff;
1800 		saltdata[1] = (usage >> 8) & 0xff;
1801 		saltdata[2] = (usage >> 16) & 0xff;
1802 		saltdata[3] = (usage >> 24) & 0xff;
1803 		saltlen = 4;
1804 	}
1805 	/*
1806 	 * Use the salt value to create a key to be used
1807 	 * for subsequent HMAC operations.
1808 	 */
1809 	result = do_hmac(md5_hmac_mech,
1810 			tmi->dec_data.ckey,
1811 			(char *)saltdata, saltlen,
1812 			(char *)k1data, sizeof (k1data));
1813 	if (result != CRYPTO_SUCCESS) {
1814 		cmn_err(CE_WARN,
1815 			"arcfour_hmac_md5_decrypt:  do_hmac(k1)"
1816 			"failed - error %0x", result);
1817 		goto cleanup;
1818 	}
1819 	bcopy(k1data, k2data, sizeof (k1data));
1820 
1821 	/*
1822 	 * For the neutered MS RC4 encryption type,
1823 	 * set the trailing 9 bytes to 0xab per the
1824 	 * RC4-HMAC spec.
1825 	 */
1826 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1827 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
1828 	}
1829 
1830 	mech.cm_type = tmi->dec_data.mech_type;
1831 	mech.cm_param = NULL;
1832 	mech.cm_param_len = 0;
1833 
1834 	/*
1835 	 * If we have not yet initialized the decryption key,
1836 	 * context, and template, do it now.
1837 	 */
1838 	if (tmi->dec_data.ctx == NULL ||
1839 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
1840 		k1.ck_format = CRYPTO_KEY_RAW;
1841 		k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8;
1842 		k1.ck_data = k1data;
1843 
1844 		tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW;
1845 		tmi->dec_data.d_encr_key.ck_length = k1.ck_length;
1846 		if (tmi->dec_data.d_encr_key.ck_data == NULL)
1847 			tmi->dec_data.d_encr_key.ck_data = kmem_zalloc(
1848 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
1849 
1850 		/*
1851 		 * HMAC operation creates the encryption
1852 		 * key to be used for the decrypt operations.
1853 		 */
1854 		result = do_hmac(md5_hmac_mech, &k1,
1855 			(char *)mp->b_rptr, hash->hash_len,
1856 			(char *)tmi->dec_data.d_encr_key.ck_data,
1857 			CRYPT_ARCFOUR_KEYBYTES);
1858 
1859 
1860 		if (result != CRYPTO_SUCCESS) {
1861 			cmn_err(CE_WARN,
1862 				"arcfour_hmac_md5_decrypt:  do_hmac(k3)"
1863 				"failed - error %0x", result);
1864 			goto cleanup;
1865 		}
1866 	}
1867 
1868 	tmi->dec_data.enc_tmpl = NULL;
1869 
1870 	if (tmi->dec_data.ctx == NULL &&
1871 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
1872 		/*
1873 		 * Only create a template if we are doing
1874 		 * chaining from block to block.
1875 		 */
1876 		result = crypto_create_ctx_template(&mech,
1877 			&tmi->dec_data.d_encr_key,
1878 			&tmi->dec_data.enc_tmpl,
1879 			KM_SLEEP);
1880 		if (result == CRYPTO_NOT_SUPPORTED) {
1881 			tmi->dec_data.enc_tmpl = NULL;
1882 		} else if (result != CRYPTO_SUCCESS) {
1883 			cmn_err(CE_WARN,
1884 				"arcfour_hmac_md5_decrypt:  "
1885 				"failed to create dec template "
1886 				"for RC4 encrypt: %0x", result);
1887 			goto cleanup;
1888 		}
1889 
1890 		result = crypto_decrypt_init(&mech,
1891 			&tmi->dec_data.d_encr_key,
1892 			tmi->dec_data.enc_tmpl,
1893 			&tmi->dec_data.ctx, NULL);
1894 
1895 		if (result != CRYPTO_SUCCESS) {
1896 			cmn_err(CE_WARN, "crypto_decrypt_init failed:"
1897 				" %0x", result);
1898 			goto cleanup;
1899 		}
1900 	}
1901 
1902 	/* adjust the rptr so we don't decrypt the original hmac field */
1903 
1904 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
1905 	v1.iov_len = cipherlen;
1906 
1907 	indata.cd_format = CRYPTO_DATA_RAW;
1908 	indata.cd_offset = 0;
1909 	indata.cd_length = cipherlen;
1910 	indata.cd_raw = v1;
1911 
1912 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
1913 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1914 			&indata, NULL, NULL);
1915 	else
1916 		result = crypto_decrypt(&mech, &indata,
1917 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1918 
1919 	if (result != CRYPTO_SUCCESS) {
1920 		cmn_err(CE_WARN, "crypto_decrypt_update failed:"
1921 			" %0x", result);
1922 		goto cleanup;
1923 	}
1924 
1925 	k2.ck_format = CRYPTO_KEY_RAW;
1926 	k2.ck_length = sizeof (k2data) * 8;
1927 	k2.ck_data = k2data;
1928 
1929 	result = do_hmac(md5_hmac_mech,
1930 			&k2,
1931 			(char *)mp->b_rptr + hash->hash_len, cipherlen,
1932 			(char *)cksum, hash->hash_len);
1933 
1934 	if (result != CRYPTO_SUCCESS) {
1935 		cmn_err(CE_WARN,
1936 			"arcfour_hmac_md5_decrypt:  do_hmac(k2)"
1937 			"failed - error %0x", result);
1938 		goto cleanup;
1939 	}
1940 
1941 	if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) {
1942 		cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed");
1943 		result = -1;
1944 		goto cleanup;
1945 	}
1946 
1947 	/*
1948 	 * adjust the start of the mblk to skip over the
1949 	 * hash and confounder.
1950 	 */
1951 	mp->b_rptr += hash->hash_len + hash->confound_len;
1952 
1953 cleanup:
1954 	bzero(k1data, sizeof (k1data));
1955 	bzero(k2data, sizeof (k2data));
1956 	bzero(cksum, sizeof (cksum));
1957 	bzero(saltdata, sizeof (saltdata));
1958 	if (result != CRYPTO_SUCCESS) {
1959 		mp->b_datap->db_type = M_ERROR;
1960 		mp->b_rptr = mp->b_datap->db_base;
1961 		*mp->b_rptr = EIO;
1962 		mp->b_wptr = mp->b_rptr + sizeof (char);
1963 		freemsg(mp->b_cont);
1964 		mp->b_cont = NULL;
1965 		qreply(WR(q), mp);
1966 		return (NULL);
1967 	}
1968 	return (mp);
1969 }
1970 
1971 /*
1972  * ARCFOUR-HMAC-MD5 encrypt
1973  *
1974  * format of ciphertext when using ARCFOUR-HMAC-MD5
1975  *  +-----------+------------+------------+
1976  *  |  hmac     | confounder |  msg-data  |
1977  *  +-----------+------------+------------+
1978  *
1979  */
1980 static mblk_t *
arcfour_hmac_md5_encrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)1981 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1982 			hash_info_t *hash)
1983 {
1984 	int result;
1985 	size_t cipherlen;
1986 	size_t inlen;
1987 	size_t saltlen;
1988 	crypto_key_t k1, k2;
1989 	crypto_data_t indata;
1990 	iovec_t v1;
1991 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1992 				0xab, 0xab, 0xab, 0xab };
1993 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1994 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1995 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1996 	crypto_mechanism_t mech;
1997 	int usage;
1998 
1999 	bzero(&indata, sizeof (indata));
2000 
2001 	/* The usage constant is 1026 for all "old" rcmd mode operations */
2002 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
2003 		usage = RCMDV1_USAGE;
2004 	else
2005 		usage = ARCFOUR_ENCRYPT_USAGE;
2006 
2007 	mech.cm_type = tmi->enc_data.mech_type;
2008 	mech.cm_param = NULL;
2009 	mech.cm_param_len = 0;
2010 
2011 	/*
2012 	 * The size at this point should be the size of
2013 	 * all the plaintext plus the optional plaintext length
2014 	 * needed for RCMD V2 mode.  There should also be room
2015 	 * at the head of the mblk for the confounder and hash info.
2016 	 */
2017 	inlen = (size_t)MBLKL(mp);
2018 
2019 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2020 
2021 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2022 
2023 	/*
2024 	 * Shift the rptr back enough to insert
2025 	 * the confounder and hash.
2026 	 */
2027 	mp->b_rptr -= (hash->confound_len + hash->hash_len);
2028 
2029 	/* zero out the hash area */
2030 	bzero(mp->b_rptr, (size_t)hash->hash_len);
2031 
2032 	if (cipherlen > inlen) {
2033 		bzero(mp->b_wptr, MBLKTAIL(mp));
2034 	}
2035 
2036 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2037 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
2038 		saltdata[9] = 0;
2039 		saltdata[10] = usage & 0xff;
2040 		saltdata[11] = (usage >> 8) & 0xff;
2041 		saltdata[12] = (usage >> 16) & 0xff;
2042 		saltdata[13] = (usage >> 24) & 0xff;
2043 		saltlen = 14;
2044 	} else {
2045 		saltdata[0] = usage & 0xff;
2046 		saltdata[1] = (usage >> 8) & 0xff;
2047 		saltdata[2] = (usage >> 16) & 0xff;
2048 		saltdata[3] = (usage >> 24) & 0xff;
2049 		saltlen = 4;
2050 	}
2051 	/*
2052 	 * Use the salt value to create a key to be used
2053 	 * for subsequent HMAC operations.
2054 	 */
2055 	result = do_hmac(md5_hmac_mech,
2056 			tmi->enc_data.ckey,
2057 			(char *)saltdata, saltlen,
2058 			(char *)k1data, sizeof (k1data));
2059 	if (result != CRYPTO_SUCCESS) {
2060 		cmn_err(CE_WARN,
2061 			"arcfour_hmac_md5_encrypt:  do_hmac(k1)"
2062 			"failed - error %0x", result);
2063 		goto cleanup;
2064 	}
2065 
2066 	bcopy(k1data, k2data, sizeof (k2data));
2067 
2068 	/*
2069 	 * For the neutered MS RC4 encryption type,
2070 	 * set the trailing 9 bytes to 0xab per the
2071 	 * RC4-HMAC spec.
2072 	 */
2073 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2074 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
2075 	}
2076 
2077 	/*
2078 	 * Get the confounder bytes.
2079 	 */
2080 	(void) random_get_pseudo_bytes(
2081 			(uint8_t *)(mp->b_rptr + hash->hash_len),
2082 			(size_t)hash->confound_len);
2083 
2084 	k2.ck_data = k2data;
2085 	k2.ck_format = CRYPTO_KEY_RAW;
2086 	k2.ck_length = sizeof (k2data) * 8;
2087 
2088 	/*
2089 	 * This writes the HMAC to the hash area in the
2090 	 * mblk.  The key used is the one just created by
2091 	 * the previous HMAC operation.
2092 	 * The data being processed is the confounder bytes
2093 	 * PLUS the input plaintext.
2094 	 */
2095 	result = do_hmac(md5_hmac_mech, &k2,
2096 			(char *)mp->b_rptr + hash->hash_len,
2097 			hash->confound_len + inlen,
2098 			(char *)mp->b_rptr, hash->hash_len);
2099 	if (result != CRYPTO_SUCCESS) {
2100 		cmn_err(CE_WARN,
2101 			"arcfour_hmac_md5_encrypt:  do_hmac(k2)"
2102 			"failed - error %0x", result);
2103 		goto cleanup;
2104 	}
2105 	/*
2106 	 * Because of the odd way that MIT uses RC4 keys
2107 	 * on the rlogin stream, we only need to create
2108 	 * this key once.
2109 	 * However, if using "old" rcmd mode, we need to do
2110 	 * it every time.
2111 	 */
2112 	if (tmi->enc_data.ctx == NULL ||
2113 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
2114 		crypto_key_t *key = &tmi->enc_data.d_encr_key;
2115 
2116 		k1.ck_data = k1data;
2117 		k1.ck_format = CRYPTO_KEY_RAW;
2118 		k1.ck_length = sizeof (k1data) * 8;
2119 
2120 		key->ck_format = CRYPTO_KEY_RAW;
2121 		key->ck_length = k1.ck_length;
2122 		if (key->ck_data == NULL)
2123 			key->ck_data = kmem_zalloc(
2124 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
2125 
2126 		/*
2127 		 * The final HMAC operation creates the encryption
2128 		 * key to be used for the encrypt operation.
2129 		 */
2130 		result = do_hmac(md5_hmac_mech, &k1,
2131 			(char *)mp->b_rptr, hash->hash_len,
2132 			(char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES);
2133 
2134 		if (result != CRYPTO_SUCCESS) {
2135 			cmn_err(CE_WARN,
2136 				"arcfour_hmac_md5_encrypt:  do_hmac(k3)"
2137 				"failed - error %0x", result);
2138 			goto cleanup;
2139 		}
2140 	}
2141 
2142 	/*
2143 	 * If the context has not been initialized, do it now.
2144 	 */
2145 	if (tmi->enc_data.ctx == NULL &&
2146 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
2147 		/*
2148 		 * Only create a template if we are doing
2149 		 * chaining from block to block.
2150 		 */
2151 		result = crypto_create_ctx_template(&mech,
2152 				&tmi->enc_data.d_encr_key,
2153 				&tmi->enc_data.enc_tmpl,
2154 				KM_SLEEP);
2155 		if (result == CRYPTO_NOT_SUPPORTED) {
2156 			tmi->enc_data.enc_tmpl = NULL;
2157 		} else if (result != CRYPTO_SUCCESS) {
2158 			cmn_err(CE_WARN, "failed to create enc template "
2159 				"for RC4 encrypt: %0x", result);
2160 			goto cleanup;
2161 		}
2162 
2163 		result = crypto_encrypt_init(&mech,
2164 					&tmi->enc_data.d_encr_key,
2165 					tmi->enc_data.enc_tmpl,
2166 					&tmi->enc_data.ctx, NULL);
2167 		if (result != CRYPTO_SUCCESS) {
2168 			cmn_err(CE_WARN, "crypto_encrypt_init failed:"
2169 				" %0x", result);
2170 			goto cleanup;
2171 		}
2172 	}
2173 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
2174 	v1.iov_len = hash->confound_len + inlen;
2175 
2176 	indata.cd_format = CRYPTO_DATA_RAW;
2177 	indata.cd_offset = 0;
2178 	indata.cd_length = hash->confound_len + inlen;
2179 	indata.cd_raw = v1;
2180 
2181 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2182 		result = crypto_encrypt_update(tmi->enc_data.ctx,
2183 			&indata, NULL, NULL);
2184 	else
2185 		result = crypto_encrypt(&mech, &indata,
2186 			&tmi->enc_data.d_encr_key, NULL,
2187 			NULL, NULL);
2188 
2189 	if (result != CRYPTO_SUCCESS) {
2190 		cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x",
2191 			result);
2192 	}
2193 
2194 cleanup:
2195 	bzero(k1data, sizeof (k1data));
2196 	bzero(k2data, sizeof (k2data));
2197 	bzero(saltdata, sizeof (saltdata));
2198 	if (result != CRYPTO_SUCCESS) {
2199 		mp->b_datap->db_type = M_ERROR;
2200 		mp->b_rptr = mp->b_datap->db_base;
2201 		*mp->b_rptr = EIO;
2202 		mp->b_wptr = mp->b_rptr + sizeof (char);
2203 		freemsg(mp->b_cont);
2204 		mp->b_cont = NULL;
2205 		qreply(WR(q), mp);
2206 		return (NULL);
2207 	}
2208 	return (mp);
2209 }
2210 
2211 /*
2212  * DES-CBC-[HASH] encrypt
2213  *
2214  * Needed to support userland apps that must support Kerberos V5
2215  * encryption DES-CBC encryption modes.
2216  *
2217  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2218  *
2219  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2220  *  +-----------+----------+-------------+-----+
2221  *  |confounder |  cksum   |   msg-data  | pad |
2222  *  +-----------+----------+-------------+-----+
2223  *
2224  * format of ciphertext when using DES3-SHA1-HMAC
2225  *  +-----------+----------+-------------+-----+
2226  *  |confounder |  msg-data  |   hmac    | pad |
2227  *  +-----------+----------+-------------+-----+
2228  *
2229  *  The confounder is 8 bytes of random data.
2230  *  The cksum depends on the hash being used.
2231  *   4 bytes for CRC32
2232  *  16 bytes for MD5
2233  *  20 bytes for SHA1
2234  *   0 bytes for RAW
2235  *
2236  */
2237 static mblk_t *
des_cbc_encrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)2238 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2239 {
2240 	int result;
2241 	size_t cipherlen;
2242 	size_t inlen;
2243 	size_t plainlen;
2244 
2245 	/*
2246 	 * The size at this point should be the size of
2247 	 * all the plaintext plus the optional plaintext length
2248 	 * needed for RCMD V2 mode.  There should also be room
2249 	 * at the head of the mblk for the confounder and hash info.
2250 	 */
2251 	inlen = (size_t)MBLKL(mp);
2252 
2253 	/*
2254 	 * The output size will be a multiple of 8 because this algorithm
2255 	 * only works on 8 byte chunks.
2256 	 */
2257 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2258 
2259 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2260 
2261 	if (cipherlen > inlen) {
2262 		bzero(mp->b_wptr, MBLKTAIL(mp));
2263 	}
2264 
2265 	/*
2266 	 * Shift the rptr back enough to insert
2267 	 * the confounder and hash.
2268 	 */
2269 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2270 		mp->b_rptr -= hash->confound_len;
2271 	} else {
2272 		mp->b_rptr -= (hash->confound_len + hash->hash_len);
2273 
2274 		/* zero out the hash area */
2275 		bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len);
2276 	}
2277 
2278 	/* get random confounder from our friend, the 'random' module */
2279 	if (hash->confound_len > 0) {
2280 		(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
2281 				    (size_t)hash->confound_len);
2282 	}
2283 
2284 	/*
2285 	 * For 3DES we calculate an HMAC later.
2286 	 */
2287 	if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) {
2288 		/* calculate chksum of confounder + input */
2289 		if (hash->hash_len > 0 && hash->hashfunc != NULL) {
2290 			uchar_t cksum[MAX_CKSUM_LEN];
2291 
2292 			result = hash->hashfunc(cksum, mp->b_rptr,
2293 				cipherlen);
2294 			if (result != CRYPTO_SUCCESS) {
2295 				goto failure;
2296 			}
2297 
2298 			/* put hash in place right after the confounder */
2299 			bcopy(cksum, (mp->b_rptr + hash->confound_len),
2300 			    (size_t)hash->hash_len);
2301 		}
2302 	}
2303 	/*
2304 	 * In order to support the "old" Kerberos RCMD protocol,
2305 	 * we must use the IVEC 3 different ways:
2306 	 *   IVEC_REUSE = keep using the same IV each time, this is
2307 	 *		ugly and insecure, but necessary for
2308 	 *		backwards compatibility with existing MIT code.
2309 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2310 	 *		was setup (see setup_crypto routine).
2311 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2312 	 */
2313 	if (tmi->enc_data.ivec_usage == IVEC_NEVER) {
2314 		bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
2315 	} else if (tmi->enc_data.ivec_usage == IVEC_REUSE) {
2316 		bcopy(tmi->enc_data.ivec, tmi->enc_data.block,
2317 		    tmi->enc_data.blocklen);
2318 	}
2319 
2320 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2321 		/*
2322 		 * The input length already included the hash size,
2323 		 * don't include this in the plaintext length
2324 		 * calculations.
2325 		 */
2326 		plainlen = cipherlen - hash->hash_len;
2327 
2328 		mp->b_wptr = mp->b_rptr + plainlen;
2329 
2330 		result = kef_encr_hmac(&tmi->enc_data,
2331 			(void *)mp, (size_t)plainlen,
2332 			(char *)(mp->b_rptr + plainlen),
2333 			hash->hash_len);
2334 	} else {
2335 		ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp));
2336 		mp->b_wptr = mp->b_rptr + cipherlen;
2337 		result = kef_crypt(&tmi->enc_data, (void *)mp,
2338 			CRYPTO_DATA_MBLK, (size_t)cipherlen,
2339 			CRYPT_ENCRYPT);
2340 	}
2341 failure:
2342 	if (result != CRYPTO_SUCCESS) {
2343 #ifdef DEBUG
2344 		cmn_err(CE_WARN,
2345 			"des_cbc_encrypt: kef_crypt encrypt "
2346 			"failed (len: %ld) - error %0x",
2347 			cipherlen, result);
2348 #endif
2349 		mp->b_datap->db_type = M_ERROR;
2350 		mp->b_rptr = mp->b_datap->db_base;
2351 		*mp->b_rptr = EIO;
2352 		mp->b_wptr = mp->b_rptr + sizeof (char);
2353 		freemsg(mp->b_cont);
2354 		mp->b_cont = NULL;
2355 		qreply(WR(q), mp);
2356 		return (NULL);
2357 	} else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) {
2358 		/*
2359 		 * Because we are using KEF, we must manually
2360 		 * update our IV.
2361 		 */
2362 		bcopy(mp->b_wptr - tmi->enc_data.ivlen,
2363 			tmi->enc_data.block, tmi->enc_data.ivlen);
2364 	}
2365 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2366 		mp->b_wptr = mp->b_rptr + cipherlen;
2367 	}
2368 
2369 	return (mp);
2370 }
2371 
2372 /*
2373  * des_cbc_decrypt
2374  *
2375  *
2376  * Needed to support userland apps that must support Kerberos V5
2377  * encryption DES-CBC decryption modes.
2378  *
2379  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2380  *
2381  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2382  *  +-----------+----------+-------------+-----+
2383  *  |confounder |  cksum   |   msg-data  | pad |
2384  *  +-----------+----------+-------------+-----+
2385  *
2386  * format of ciphertext when using DES3-SHA1-HMAC
2387  *  +-----------+----------+-------------+-----+
2388  *  |confounder |  msg-data  |   hmac    | pad |
2389  *  +-----------+----------+-------------+-----+
2390  *
2391  *  The confounder is 8 bytes of random data.
2392  *  The cksum depends on the hash being used.
2393  *   4 bytes for CRC32
2394  *  16 bytes for MD5
2395  *  20 bytes for SHA1
2396  *   0 bytes for RAW
2397  *
2398  */
2399 static mblk_t *
des_cbc_decrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)2400 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2401 {
2402 	uint_t inlen, datalen;
2403 	int result = 0;
2404 	uchar_t *optr = NULL;
2405 	uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN];
2406 	uchar_t nextiv[DEFAULT_DES_BLOCKLEN];
2407 
2408 	/* Compute adjusted size */
2409 	inlen = MBLKL(mp);
2410 
2411 	optr = mp->b_rptr;
2412 
2413 	/*
2414 	 * In order to support the "old" Kerberos RCMD protocol,
2415 	 * we must use the IVEC 3 different ways:
2416 	 *   IVEC_REUSE = keep using the same IV each time, this is
2417 	 *		ugly and insecure, but necessary for
2418 	 *		backwards compatibility with existing MIT code.
2419 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2420 	 *		was setup (see setup_crypto routine).
2421 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2422 	 */
2423 	if (tmi->dec_data.ivec_usage == IVEC_NEVER)
2424 		bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
2425 	else if (tmi->dec_data.ivec_usage == IVEC_REUSE)
2426 		bcopy(tmi->dec_data.ivec, tmi->dec_data.block,
2427 		    tmi->dec_data.blocklen);
2428 
2429 	if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2430 		/*
2431 		 * Do not decrypt the HMAC at the end
2432 		 */
2433 		int decrypt_len = inlen - hash->hash_len;
2434 
2435 		/*
2436 		 * Move the wptr so the mblk appears to end
2437 		 * BEFORE the HMAC section.
2438 		 */
2439 		mp->b_wptr = mp->b_rptr + decrypt_len;
2440 
2441 		/*
2442 		 * Because we are using KEF, we must manually update our
2443 		 * IV.
2444 		 */
2445 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2446 			bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen,
2447 				nextiv, tmi->dec_data.ivlen);
2448 		}
2449 
2450 		result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len,
2451 			(char *)newcksum, hash->hash_len);
2452 	} else {
2453 		/*
2454 		 * Because we are using KEF, we must manually update our
2455 		 * IV.
2456 		 */
2457 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2458 			bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv,
2459 				tmi->dec_data.ivlen);
2460 		}
2461 		result = kef_crypt(&tmi->dec_data, (void *)mp,
2462 			CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT);
2463 	}
2464 	if (result != CRYPTO_SUCCESS) {
2465 #ifdef DEBUG
2466 		cmn_err(CE_WARN,
2467 			"des_cbc_decrypt: kef_crypt decrypt "
2468 			"failed - error %0x", result);
2469 #endif
2470 		mp->b_datap->db_type = M_ERROR;
2471 		mp->b_rptr = mp->b_datap->db_base;
2472 		*mp->b_rptr = EIO;
2473 		mp->b_wptr = mp->b_rptr + sizeof (char);
2474 		freemsg(mp->b_cont);
2475 		mp->b_cont = NULL;
2476 		qreply(WR(q), mp);
2477 		return (NULL);
2478 	}
2479 
2480 	/*
2481 	 * Manually update the IV, KEF does not track this for us.
2482 	 */
2483 	if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2484 		bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen);
2485 	}
2486 
2487 	/* Verify the checksum(if necessary) */
2488 	if (hash->hash_len > 0) {
2489 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2490 			bcopy(mp->b_rptr + inlen - hash->hash_len, cksum,
2491 				hash->hash_len);
2492 		} else {
2493 			bcopy(optr + hash->confound_len, cksum, hash->hash_len);
2494 
2495 			/* zero the cksum in the buffer */
2496 			ASSERT(optr + hash->confound_len + hash->hash_len <=
2497 				DB_LIM(mp));
2498 			bzero(optr + hash->confound_len, hash->hash_len);
2499 
2500 			/* calculate MD5 chksum of confounder + input */
2501 			if (hash->hashfunc) {
2502 				(void) hash->hashfunc(newcksum, optr, inlen);
2503 			}
2504 		}
2505 
2506 		if (bcmp(cksum, newcksum, hash->hash_len)) {
2507 #ifdef DEBUG
2508 			cmn_err(CE_WARN, "des_cbc_decrypt: checksum "
2509 				"verification failed");
2510 #endif
2511 			mp->b_datap->db_type = M_ERROR;
2512 			mp->b_rptr = mp->b_datap->db_base;
2513 			*mp->b_rptr = EIO;
2514 			mp->b_wptr = mp->b_rptr + sizeof (char);
2515 			freemsg(mp->b_cont);
2516 			mp->b_cont = NULL;
2517 			qreply(WR(q), mp);
2518 			return (NULL);
2519 		}
2520 	}
2521 
2522 	datalen = inlen - hash->confound_len - hash->hash_len;
2523 
2524 	/* Move just the decrypted input into place if necessary */
2525 	if (hash->confound_len > 0 || hash->hash_len > 0) {
2526 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1)
2527 			mp->b_rptr += hash->confound_len;
2528 		else
2529 			mp->b_rptr += hash->confound_len + hash->hash_len;
2530 	}
2531 
2532 	ASSERT(mp->b_rptr + datalen <= DB_LIM(mp));
2533 	mp->b_wptr = mp->b_rptr + datalen;
2534 
2535 	return (mp);
2536 }
2537 
2538 static mblk_t *
do_decrypt(queue_t * q,mblk_t * mp)2539 do_decrypt(queue_t *q, mblk_t *mp)
2540 {
2541 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2542 	mblk_t *outmp;
2543 
2544 	switch (tmi->dec_data.method) {
2545 	case CRYPT_METHOD_DES_CFB:
2546 		outmp = des_cfb_decrypt(q, tmi, mp);
2547 		break;
2548 	case CRYPT_METHOD_NONE:
2549 		outmp = mp;
2550 		break;
2551 	case CRYPT_METHOD_DES_CBC_NULL:
2552 		outmp = des_cbc_decrypt(q, tmi, mp, &null_hash);
2553 		break;
2554 	case CRYPT_METHOD_DES_CBC_MD5:
2555 		outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash);
2556 		break;
2557 	case CRYPT_METHOD_DES_CBC_CRC:
2558 		outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash);
2559 		break;
2560 	case CRYPT_METHOD_DES3_CBC_SHA1:
2561 		outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash);
2562 		break;
2563 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2564 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2565 		outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash);
2566 		break;
2567 	case CRYPT_METHOD_AES128:
2568 	case CRYPT_METHOD_AES256:
2569 		outmp = aes_decrypt(q, tmi, mp, &sha1_hash);
2570 		break;
2571 	}
2572 	return (outmp);
2573 }
2574 
2575 /*
2576  * do_encrypt
2577  *
2578  * Generic encryption routine for a single message block.
2579  * The input mblk may be replaced by some encrypt routines
2580  * because they add extra data in some cases that may exceed
2581  * the input mblk_t size limit.
2582  */
2583 static mblk_t *
do_encrypt(queue_t * q,mblk_t * mp)2584 do_encrypt(queue_t *q, mblk_t *mp)
2585 {
2586 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2587 	mblk_t *outmp;
2588 
2589 	switch (tmi->enc_data.method) {
2590 	case CRYPT_METHOD_DES_CFB:
2591 		outmp = des_cfb_encrypt(q, tmi, mp);
2592 		break;
2593 	case CRYPT_METHOD_DES_CBC_NULL:
2594 		outmp = des_cbc_encrypt(q, tmi, mp, &null_hash);
2595 		break;
2596 	case CRYPT_METHOD_DES_CBC_MD5:
2597 		outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash);
2598 		break;
2599 	case CRYPT_METHOD_DES_CBC_CRC:
2600 		outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash);
2601 		break;
2602 	case CRYPT_METHOD_DES3_CBC_SHA1:
2603 		outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash);
2604 		break;
2605 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2606 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2607 		outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash);
2608 		break;
2609 	case CRYPT_METHOD_AES128:
2610 	case CRYPT_METHOD_AES256:
2611 		outmp = aes_encrypt(q, tmi, mp, &sha1_hash);
2612 		break;
2613 	case CRYPT_METHOD_NONE:
2614 		outmp = mp;
2615 		break;
2616 	}
2617 	return (outmp);
2618 }
2619 
2620 /*
2621  * setup_crypto
2622  *
2623  * This takes the data from the CRYPTIOCSETUP ioctl
2624  * and sets up a cipher_data_t structure for either
2625  * encryption or decryption.  This is where the
2626  * key and initialization vector data get stored
2627  * prior to beginning any crypto functions.
2628  *
2629  * Special note:
2630  *   Some applications(e.g. telnetd) have ability to switch
2631  * crypto on/off periodically.  Thus, the application may call
2632  * the CRYPTIOCSETUP ioctl many times for the same stream.
2633  * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
2634  * assume that the key, block, and saveblock fields that are already
2635  * set from a previous CRIOCSETUP call are still valid.  This helps avoid
2636  * a rekeying error that could occur if we overwrite these fields
2637  * with each CRYPTIOCSETUP call.
2638  *   In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
2639  * without resetting the original crypto parameters.
2640  *
2641  */
2642 static int
setup_crypto(struct cr_info_t * ci,struct cipher_data_t * cd,int encrypt)2643 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt)
2644 {
2645 	uint_t newblocklen;
2646 	uint32_t enc_usage = 0, dec_usage = 0;
2647 	int rv;
2648 
2649 	/*
2650 	 * Initial sanity checks
2651 	 */
2652 	if (!CR_METHOD_OK(ci->crypto_method)) {
2653 		cmn_err(CE_WARN, "Illegal crypto method (%d)",
2654 			ci->crypto_method);
2655 		return (EINVAL);
2656 	}
2657 	if (!CR_OPTIONS_OK(ci->option_mask)) {
2658 		cmn_err(CE_WARN, "Illegal crypto options (%d)",
2659 			ci->option_mask);
2660 		return (EINVAL);
2661 	}
2662 	if (!CR_IVUSAGE_OK(ci->ivec_usage)) {
2663 		cmn_err(CE_WARN, "Illegal ivec usage value (%d)",
2664 			ci->ivec_usage);
2665 		return (EINVAL);
2666 	}
2667 
2668 	cd->method = ci->crypto_method;
2669 	cd->bytes = 0;
2670 
2671 	if (ci->keylen > 0) {
2672 		if (cd->key != NULL) {
2673 			kmem_free(cd->key, cd->keylen);
2674 			cd->key = NULL;
2675 			cd->keylen = 0;
2676 		}
2677 		/*
2678 		 * cd->key holds the copy of the raw key bytes passed in
2679 		 * from the userland app.
2680 		 */
2681 		cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP);
2682 
2683 		cd->keylen = ci->keylen;
2684 		bcopy(ci->key, cd->key, (size_t)ci->keylen);
2685 	}
2686 
2687 	/*
2688 	 * Configure the block size based on the type of cipher.
2689 	 */
2690 	switch (cd->method) {
2691 		case CRYPT_METHOD_NONE:
2692 			newblocklen = 0;
2693 			break;
2694 		case CRYPT_METHOD_DES_CFB:
2695 			newblocklen = DEFAULT_DES_BLOCKLEN;
2696 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB);
2697 			break;
2698 		case CRYPT_METHOD_DES_CBC_NULL:
2699 		case CRYPT_METHOD_DES_CBC_MD5:
2700 		case CRYPT_METHOD_DES_CBC_CRC:
2701 			newblocklen = DEFAULT_DES_BLOCKLEN;
2702 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC);
2703 			break;
2704 		case CRYPT_METHOD_DES3_CBC_SHA1:
2705 			newblocklen = DEFAULT_DES_BLOCKLEN;
2706 			cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC);
2707 			/* 3DES always uses the old usage constant */
2708 			enc_usage = RCMDV1_USAGE;
2709 			dec_usage = RCMDV1_USAGE;
2710 			break;
2711 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2712 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2713 			newblocklen = 0;
2714 			cd->mech_type = crypto_mech2id(SUN_CKM_RC4);
2715 			break;
2716 		case CRYPT_METHOD_AES128:
2717 		case CRYPT_METHOD_AES256:
2718 			newblocklen = DEFAULT_AES_BLOCKLEN;
2719 			cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB);
2720 			enc_usage = AES_ENCRYPT_USAGE;
2721 			dec_usage = AES_DECRYPT_USAGE;
2722 			break;
2723 	}
2724 	if (cd->mech_type == CRYPTO_MECH_INVALID) {
2725 		return (CRYPTO_FAILED);
2726 	}
2727 
2728 	/*
2729 	 * If RC4, initialize the master crypto key used by
2730 	 * the RC4 algorithm to derive the final encrypt and decrypt keys.
2731 	 */
2732 	if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) {
2733 		/*
2734 		 * cd->ckey is a kernel crypto key structure used as the
2735 		 * master key in the RC4-HMAC crypto operations.
2736 		 */
2737 		if (cd->ckey == NULL) {
2738 			cd->ckey = (crypto_key_t *)kmem_zalloc(
2739 				sizeof (crypto_key_t), KM_SLEEP);
2740 		}
2741 
2742 		cd->ckey->ck_format = CRYPTO_KEY_RAW;
2743 		cd->ckey->ck_data = cd->key;
2744 
2745 		/* key length for EF is measured in bits */
2746 		cd->ckey->ck_length = cd->keylen * 8;
2747 	}
2748 
2749 	/*
2750 	 * cd->block and cd->saveblock are used as temporary storage for
2751 	 * data that must be carried over between encrypt/decrypt operations
2752 	 * in some of the "feedback" modes.
2753 	 */
2754 	if (newblocklen != cd->blocklen) {
2755 		if (cd->block != NULL) {
2756 			kmem_free(cd->block, cd->blocklen);
2757 			cd->block = NULL;
2758 		}
2759 
2760 		if (cd->saveblock != NULL) {
2761 			kmem_free(cd->saveblock, cd->blocklen);
2762 			cd->saveblock = NULL;
2763 		}
2764 
2765 		cd->blocklen = newblocklen;
2766 		if (cd->blocklen) {
2767 			cd->block = (char *)kmem_zalloc((size_t)cd->blocklen,
2768 				KM_SLEEP);
2769 		}
2770 
2771 		if (cd->method == CRYPT_METHOD_DES_CFB)
2772 			cd->saveblock = (char *)kmem_zalloc(cd->blocklen,
2773 						KM_SLEEP);
2774 		else
2775 			cd->saveblock = NULL;
2776 	}
2777 
2778 	if (ci->iveclen != cd->ivlen) {
2779 		if (cd->ivec != NULL) {
2780 			kmem_free(cd->ivec, cd->ivlen);
2781 			cd->ivec = NULL;
2782 		}
2783 		if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) {
2784 			cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen,
2785 						KM_SLEEP);
2786 			cd->ivlen = ci->iveclen;
2787 		} else {
2788 			cd->ivlen = 0;
2789 			cd->ivec = NULL;
2790 		}
2791 	}
2792 	cd->option_mask = ci->option_mask;
2793 
2794 	/*
2795 	 * Old protocol requires a static 'usage' value for
2796 	 * deriving keys.  Yuk.
2797 	 */
2798 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) {
2799 		enc_usage = dec_usage = RCMDV1_USAGE;
2800 	}
2801 
2802 	if (cd->ivlen > cd->blocklen) {
2803 		cmn_err(CE_WARN, "setup_crypto: IV longer than block size");
2804 		return (EINVAL);
2805 	}
2806 
2807 	/*
2808 	 * If we are using an IVEC "correctly" (i.e. set it once)
2809 	 * copy it here.
2810 	 */
2811 	if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL)
2812 		bcopy(ci->ivec, cd->block, (size_t)cd->ivlen);
2813 
2814 	cd->ivec_usage = ci->ivec_usage;
2815 	if (cd->ivec != NULL) {
2816 		/* Save the original IVEC in case we need it later */
2817 		bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen);
2818 	}
2819 	/*
2820 	 * Special handling for 3DES-SHA1-HMAC and AES crypto:
2821 	 * generate derived keys and context templates
2822 	 * for better performance.
2823 	 */
2824 	if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 ||
2825 	    IS_AES_METHOD(cd->method)) {
2826 		crypto_mechanism_t enc_mech;
2827 		crypto_mechanism_t hmac_mech;
2828 
2829 		if (cd->d_encr_key.ck_data != NULL) {
2830 			bzero(cd->d_encr_key.ck_data, cd->keylen);
2831 			kmem_free(cd->d_encr_key.ck_data, cd->keylen);
2832 		}
2833 
2834 		if (cd->d_hmac_key.ck_data != NULL) {
2835 			bzero(cd->d_hmac_key.ck_data, cd->keylen);
2836 			kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
2837 		}
2838 
2839 		if (cd->enc_tmpl != NULL)
2840 			(void) crypto_destroy_ctx_template(cd->enc_tmpl);
2841 
2842 		if (cd->hmac_tmpl != NULL)
2843 			(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
2844 
2845 		enc_mech.cm_type = cd->mech_type;
2846 		enc_mech.cm_param = cd->ivec;
2847 		enc_mech.cm_param_len = cd->ivlen;
2848 
2849 		hmac_mech.cm_type = sha1_hmac_mech;
2850 		hmac_mech.cm_param = NULL;
2851 		hmac_mech.cm_param_len = 0;
2852 
2853 		/*
2854 		 * Create the derived keys.
2855 		 */
2856 		rv = create_derived_keys(cd,
2857 			(encrypt ? enc_usage : dec_usage),
2858 			&cd->d_encr_key, &cd->d_hmac_key);
2859 
2860 		if (rv != CRYPTO_SUCCESS) {
2861 			cmn_err(CE_WARN, "failed to create derived "
2862 				"keys: %0x", rv);
2863 			return (CRYPTO_FAILED);
2864 		}
2865 
2866 		rv = crypto_create_ctx_template(&enc_mech,
2867 					&cd->d_encr_key,
2868 					&cd->enc_tmpl, KM_SLEEP);
2869 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2870 			cd->enc_tmpl = NULL;
2871 		} else if (rv != CRYPTO_SUCCESS) {
2872 			cmn_err(CE_WARN, "failed to create enc template "
2873 				"for d_encr_key: %0x", rv);
2874 			return (CRYPTO_FAILED);
2875 		}
2876 
2877 		rv = crypto_create_ctx_template(&hmac_mech,
2878 				&cd->d_hmac_key,
2879 				&cd->hmac_tmpl, KM_SLEEP);
2880 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2881 			cd->hmac_tmpl = NULL;
2882 		} else if (rv != CRYPTO_SUCCESS) {
2883 			cmn_err(CE_WARN, "failed to create hmac template:"
2884 				" %0x", rv);
2885 			return (CRYPTO_FAILED);
2886 		}
2887 	} else if (IS_RC4_METHOD(cd->method)) {
2888 		bzero(&cd->d_encr_key, sizeof (crypto_key_t));
2889 		bzero(&cd->d_hmac_key, sizeof (crypto_key_t));
2890 		cd->ctx = NULL;
2891 		cd->enc_tmpl = NULL;
2892 		cd->hmac_tmpl = NULL;
2893 	}
2894 
2895 	/* Final sanity checks, make sure no fields are NULL */
2896 	if (cd->method != CRYPT_METHOD_NONE) {
2897 		if (cd->block == NULL && cd->blocklen > 0) {
2898 #ifdef DEBUG
2899 			cmn_err(CE_WARN,
2900 				"setup_crypto: IV block not allocated");
2901 #endif
2902 			return (ENOMEM);
2903 		}
2904 		if (cd->key == NULL && cd->keylen > 0) {
2905 #ifdef DEBUG
2906 			cmn_err(CE_WARN,
2907 				"setup_crypto: key block not allocated");
2908 #endif
2909 			return (ENOMEM);
2910 		}
2911 		if (cd->method == CRYPT_METHOD_DES_CFB &&
2912 		    cd->saveblock == NULL && cd->blocklen > 0) {
2913 #ifdef DEBUG
2914 			cmn_err(CE_WARN,
2915 				"setup_crypto: save block not allocated");
2916 #endif
2917 			return (ENOMEM);
2918 		}
2919 		if (cd->ivec == NULL && cd->ivlen > 0) {
2920 #ifdef DEBUG
2921 			cmn_err(CE_WARN,
2922 				"setup_crypto: IV not allocated");
2923 #endif
2924 			return (ENOMEM);
2925 		}
2926 	}
2927 	return (0);
2928 }
2929 
2930 /*
2931  * RCMDS require a 4 byte, clear text
2932  * length field before each message.
2933  * Add it now.
2934  */
2935 static mblk_t *
mklenmp(mblk_t * bp,uint32_t len)2936 mklenmp(mblk_t *bp, uint32_t len)
2937 {
2938 	mblk_t *lenmp;
2939 	uchar_t *ucp;
2940 
2941 	if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) {
2942 		lenmp = allocb(4, BPRI_MED);
2943 		if (lenmp != NULL) {
2944 			lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp);
2945 			linkb(lenmp, bp);
2946 			bp = lenmp;
2947 		}
2948 	}
2949 	ucp = bp->b_rptr;
2950 	*--ucp = len;
2951 	*--ucp = len >> 8;
2952 	*--ucp = len >> 16;
2953 	*--ucp = len >> 24;
2954 
2955 	bp->b_rptr = ucp;
2956 
2957 	return (bp);
2958 }
2959 
2960 static mblk_t *
encrypt_block(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,size_t plainlen)2961 encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen)
2962 {
2963 	mblk_t *newmp;
2964 	size_t headspace;
2965 
2966 	mblk_t *cbp;
2967 	size_t cipherlen;
2968 	size_t extra = 0;
2969 	uint32_t ptlen = (uint32_t)plainlen;
2970 	/*
2971 	 * If we are using the "NEW" RCMD mode,
2972 	 * add 4 bytes to the plaintext for the
2973 	 * plaintext length that gets prepended
2974 	 * before encrypting.
2975 	 */
2976 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2977 		ptlen += 4;
2978 
2979 	cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen);
2980 
2981 	/*
2982 	 * if we must allocb, then make sure its enough
2983 	 * to hold the length field so we dont have to allocb
2984 	 * again down below in 'mklenmp'
2985 	 */
2986 	if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) {
2987 		extra = sizeof (uint32_t);
2988 	}
2989 
2990 	/*
2991 	 * Calculate how much space is needed in front of
2992 	 * the data.
2993 	 */
2994 	headspace = plaintext_offset(&tmi->enc_data);
2995 
2996 	/*
2997 	 * If the current block is too small, reallocate
2998 	 * one large enough to hold the hdr, tail, and
2999 	 * ciphertext.
3000 	 */
3001 	if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) {
3002 		int sz = P2ROUNDUP(cipherlen+extra, 8);
3003 
3004 		cbp = allocb_tmpl(sz, mp);
3005 		if (cbp == NULL) {
3006 			cmn_err(CE_WARN,
3007 				"allocb (%d bytes) failed", sz);
3008 			return (NULL);
3009 		}
3010 
3011 		cbp->b_cont = mp->b_cont;
3012 
3013 		/*
3014 		 * headspace includes the length fields needed
3015 		 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
3016 		 */
3017 		ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen+headspace, 8)
3018 			<= DB_LIM(cbp));
3019 
3020 		cbp->b_rptr = DB_BASE(cbp) + headspace;
3021 		bcopy(mp->b_rptr, cbp->b_rptr, plainlen);
3022 		cbp->b_wptr = cbp->b_rptr + plainlen;
3023 
3024 		freeb(mp);
3025 	} else {
3026 		size_t extra = 0;
3027 		cbp = mp;
3028 
3029 		/*
3030 		 * Some ciphers add HMAC after the final block
3031 		 * of the ciphertext, not at the beginning like the
3032 		 * 1-DES ciphers.
3033 		 */
3034 		if (tmi->enc_data.method ==
3035 			CRYPT_METHOD_DES3_CBC_SHA1 ||
3036 		    IS_AES_METHOD(tmi->enc_data.method)) {
3037 			extra = sha1_hash.hash_len;
3038 		}
3039 
3040 		/*
3041 		 * Make sure the rptr is positioned correctly so that
3042 		 * routines later do not have to shift this data around
3043 		 */
3044 		if ((cbp->b_rptr + P2ROUNDUP(cipherlen + extra, 8) >
3045 			DB_LIM(cbp)) ||
3046 			(cbp->b_rptr - headspace < DB_BASE(cbp))) {
3047 			ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace,
3048 				plainlen);
3049 			cbp->b_rptr = DB_BASE(cbp) + headspace;
3050 			cbp->b_wptr = cbp->b_rptr + plainlen;
3051 		}
3052 	}
3053 
3054 	ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp));
3055 	ASSERT(cbp->b_wptr <= DB_LIM(cbp));
3056 
3057 	/*
3058 	 * If using RCMD_MODE_V2 (new rcmd mode), prepend
3059 	 * the plaintext length before the actual plaintext.
3060 	 */
3061 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) {
3062 		cbp->b_rptr -= RCMD_LEN_SZ;
3063 
3064 		/* put plaintext length at head of buffer */
3065 		*(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff);
3066 		*(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff);
3067 		*(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff);
3068 		*(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff);
3069 	}
3070 
3071 	newmp = do_encrypt(q, cbp);
3072 
3073 	if (newmp != NULL &&
3074 	    (tmi->enc_data.option_mask &
3075 	    (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) {
3076 		mblk_t *lp;
3077 		/*
3078 		 * Add length field, required when this is
3079 		 * used to encrypt "r*" commands(rlogin, rsh)
3080 		 * with Kerberos.
3081 		 */
3082 		lp = mklenmp(newmp, plainlen);
3083 
3084 		if (lp == NULL) {
3085 			freeb(newmp);
3086 			return (NULL);
3087 		} else {
3088 			newmp = lp;
3089 		}
3090 	}
3091 	return (newmp);
3092 }
3093 
3094 /*
3095  * encrypt_msgb
3096  *
3097  * encrypt a single message. This routine adds the
3098  * RCMD overhead bytes when necessary.
3099  */
3100 static mblk_t *
encrypt_msgb(queue_t * q,struct tmodinfo * tmi,mblk_t * mp)3101 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
3102 {
3103 	size_t plainlen, outlen;
3104 	mblk_t *newmp = NULL;
3105 
3106 	/* If not encrypting, do nothing */
3107 	if (tmi->enc_data.method == CRYPT_METHOD_NONE) {
3108 		return (mp);
3109 	}
3110 
3111 	plainlen = MBLKL(mp);
3112 	if (plainlen == 0)
3113 		return (NULL);
3114 
3115 	/*
3116 	 * If the block is too big, we encrypt in 4K chunks so that
3117 	 * older rlogin clients do not choke on the larger buffers.
3118 	 */
3119 	while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) {
3120 		mblk_t *mp1 = NULL;
3121 		outlen = MSGBUF_SIZE;
3122 		/*
3123 		 * Allocate a new buffer that is only 4K bytes, the
3124 		 * extra bytes are for crypto overhead.
3125 		 */
3126 		mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED);
3127 		if (mp1 == NULL) {
3128 			cmn_err(CE_WARN,
3129 				"allocb (%d bytes) failed",
3130 				(int)(outlen + CONFOUNDER_BYTES));
3131 			return (NULL);
3132 		}
3133 		/* Copy the next 4K bytes from the old block. */
3134 		bcopy(mp->b_rptr, mp1->b_rptr, outlen);
3135 		mp1->b_wptr = mp1->b_rptr + outlen;
3136 		/* Advance the old block. */
3137 		mp->b_rptr += outlen;
3138 
3139 		/* encrypt the new block */
3140 		newmp = encrypt_block(q, tmi, mp1, outlen);
3141 		if (newmp == NULL)
3142 			return (NULL);
3143 
3144 		putnext(q, newmp);
3145 	}
3146 	newmp = NULL;
3147 	/* If there is data left (< MSGBUF_SIZE), encrypt it. */
3148 	if ((plainlen = MBLKL(mp)) > 0)
3149 		newmp = encrypt_block(q, tmi, mp, plainlen);
3150 
3151 	return (newmp);
3152 }
3153 
3154 /*
3155  * cryptmodwsrv
3156  *
3157  * Service routine for the write queue.
3158  *
3159  * Because data may be placed in the queue to hold between
3160  * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
3161  */
3162 static int
cryptmodwsrv(queue_t * q)3163 cryptmodwsrv(queue_t *q)
3164 {
3165 	mblk_t *mp;
3166 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3167 
3168 	while ((mp = getq(q)) != NULL) {
3169 		switch (mp->b_datap->db_type) {
3170 		default:
3171 			/*
3172 			 * wput does not queue anything > QPCTL
3173 			 */
3174 			if (!canputnext(q) ||
3175 			    !(tmi->ready & CRYPT_WRITE_READY)) {
3176 				if (!putbq(q, mp)) {
3177 					freemsg(mp);
3178 				}
3179 				return (0);
3180 			}
3181 			putnext(q, mp);
3182 			break;
3183 		case M_DATA:
3184 			if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) {
3185 				mblk_t *bp;
3186 				mblk_t *newmsg = NULL;
3187 
3188 				/*
3189 				 * If multiple msgs, concat into 1
3190 				 * to minimize crypto operations later.
3191 				 */
3192 				if (mp->b_cont != NULL) {
3193 					bp = msgpullup(mp, -1);
3194 					if (bp != NULL) {
3195 						freemsg(mp);
3196 						mp = bp;
3197 					}
3198 				}
3199 				newmsg = encrypt_msgb(q, tmi, mp);
3200 				if (newmsg != NULL)
3201 					putnext(q, newmsg);
3202 			} else {
3203 				if (!putbq(q, mp)) {
3204 					freemsg(mp);
3205 				}
3206 				return (0);
3207 			}
3208 			break;
3209 		}
3210 	}
3211 	return (0);
3212 }
3213 
3214 static void
start_stream(queue_t * wq,mblk_t * mp,uchar_t dir)3215 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir)
3216 {
3217 	mblk_t *newmp = NULL;
3218 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3219 
3220 	if (dir == CRYPT_ENCRYPT) {
3221 		tmi->ready |= CRYPT_WRITE_READY;
3222 		(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
3223 				"start_stream: restart ENCRYPT/WRITE q"));
3224 
3225 		enableok(wq);
3226 		qenable(wq);
3227 	} else if (dir == CRYPT_DECRYPT) {
3228 		/*
3229 		 * put any extra data in the RD
3230 		 * queue to be processed and
3231 		 * sent back up.
3232 		 */
3233 		newmp = mp->b_cont;
3234 		mp->b_cont = NULL;
3235 
3236 		tmi->ready |= CRYPT_READ_READY;
3237 		(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3238 				SL_TRACE|SL_NOTE,
3239 				"start_stream: restart "
3240 				"DECRYPT/READ q"));
3241 
3242 		if (newmp != NULL)
3243 			if (!putbq(RD(wq), newmp))
3244 				freemsg(newmp);
3245 
3246 		enableok(RD(wq));
3247 		qenable(RD(wq));
3248 	}
3249 
3250 	miocack(wq, mp, 0, 0);
3251 }
3252 
3253 /*
3254  * Write-side put procedure.  Its main task is to detect ioctls and
3255  * FLUSH operations.  Other message types are passed on through.
3256  */
3257 static int
cryptmodwput(queue_t * wq,mblk_t * mp)3258 cryptmodwput(queue_t *wq, mblk_t *mp)
3259 {
3260 	struct iocblk *iocp;
3261 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3262 	int ret, err;
3263 
3264 	switch (mp->b_datap->db_type) {
3265 	case M_DATA:
3266 <