xref: /illumos-gate/usr/src/uts/common/io/cryptmod.c (revision e81f5104)

/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Copyright (c) 2018, Joyent, Inc.
 *
 * STREAMS Crypto Module
 *
 * This module is used to facilitate Kerberos encryption
 * operations for the telnet daemon and rlogin daemon.
 * Because the Solaris telnet and rlogin daemons run mostly
 * in-kernel via 'telmod' and 'rlmod', this module must be
 * pushed on the STREAM *below* telmod or rlmod.
 *
 * Parts of the 3DES key derivation code are covered by the
 * following copyright.
 *
 * Copyright (C) 1998 by the FundsXpress, INC.
 *
 * All rights reserved.
 *
 * Export of this software from the United States of America may require
 * a specific license from the United States Government.  It is the
 * responsibility of any person or organization contemplating export to
 * obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of FundsXpress. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  FundsXpress makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 */

#include <sys/types.h>
#include <sys/sysmacros.h>
#include <sys/errno.h>
#include <sys/debug.h>
#include <sys/time.h>
#include <sys/stropts.h>
#include <sys/stream.h>
#include <sys/strsubr.h>
#include <sys/strlog.h>
#include <sys/cmn_err.h>
#include <sys/conf.h>
#include <sys/sunddi.h>
#include <sys/kmem.h>
#include <sys/strsun.h>
#include <sys/random.h>
#include <sys/types.h>
#include <sys/byteorder.h>
#include <sys/cryptmod.h>
#include <sys/crc32.h>
#include <sys/policy.h>

#include <sys/crypto/api.h>

/*
 * Function prototypes.
 */
static	int	cryptmodopen(queue_t *, dev_t *, int, int, cred_t *);
static  int	cryptmodrput(queue_t *, mblk_t *);
static  int	cryptmodwput(queue_t *, mblk_t *);
static	int	cryptmodclose(queue_t *, int, cred_t *);
static	int	cryptmodwsrv(queue_t *);
static	int	cryptmodrsrv(queue_t *);

static mblk_t *do_encrypt(queue_t *q, mblk_t *mp);
static mblk_t *do_decrypt(queue_t *q, mblk_t *mp);

#define	CRYPTMOD_ID 5150

#define	CFB_BLKSZ 8

#define	K5CLENGTH 5

static struct module_info	cryptmod_minfo = {
	CRYPTMOD_ID,	/* mi_idnum */
	"cryptmod",	/* mi_idname */
	0,		/* mi_minpsz */
	INFPSZ,		/* mi_maxpsz */
	65536,		/* mi_hiwat */
	1024		/* mi_lowat */
};

static struct qinit	cryptmod_rinit = {
	cryptmodrput,	/* qi_putp */
	cryptmodrsrv,	/* qi_svc */
	cryptmodopen,	/* qi_qopen */
	cryptmodclose,	/* qi_qclose */
	NULL,		/* qi_qadmin */
	&cryptmod_minfo,	/* qi_minfo */
	NULL		/* qi_mstat */
};

static struct qinit	cryptmod_winit = {
	cryptmodwput,	/* qi_putp */
	cryptmodwsrv,	/* qi_srvp */
	NULL,		/* qi_qopen */
	NULL,		/* qi_qclose */
	NULL,		/* qi_qadmin */
	&cryptmod_minfo,	/* qi_minfo */
	NULL		/* qi_mstat */
};

static struct streamtab	cryptmod_info = {
	&cryptmod_rinit,	/* st_rdinit */
	&cryptmod_winit,	/* st_wrinit */
	NULL,	/* st_muxrinit */
	NULL	/* st_muxwinit */
};

typedef struct {
	uint_t hash_len;
	uint_t confound_len;
	int (*hashfunc)();
} hash_info_t;

#define	MAX_CKSUM_LEN 20
#define	CONFOUNDER_LEN 8

#define	SHA1_HASHSIZE 20
#define	MD5_HASHSIZE 16
#define	CRC32_HASHSIZE 4
#define	MSGBUF_SIZE 4096
#define	CONFOUNDER_BYTES 128


static int crc32_calc(uchar_t *, uchar_t *, uint_t);
static int md5_calc(uchar_t *, uchar_t *, uint_t);
static int sha1_calc(uchar_t *, uchar_t *, uint_t);

static hash_info_t null_hash = {0, 0, NULL};
static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc};
static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc};
static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc};

static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID;
static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID;
static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID;
static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID;

static int kef_crypt(struct cipher_data_t *, void *,
		    crypto_data_format_t, size_t, int);
static mblk_t *
arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *,
		mblk_t *, hash_info_t *);
static mblk_t *
arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *,
		mblk_t *, hash_info_t *);

static int
do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int);

/*
 * This is the loadable module wrapper.
 */
#include <sys/modctl.h>

static struct fmodsw fsw = {
	"cryptmod",
	&cryptmod_info,
	D_MP | D_MTQPAIR
};

/*
 * Module linkage information for the kernel.
 */
static struct modlstrmod modlstrmod = {
	&mod_strmodops,
	"STREAMS encryption module",
	&fsw
};

static struct modlinkage modlinkage = {
	MODREV_1,
	&modlstrmod,
	NULL
};

int
_init(void)
{
	return (mod_install(&modlinkage));
}

int
_fini(void)
{
	return (mod_remove(&modlinkage));
}

int
_info(struct modinfo *modinfop)
{
	return (mod_info(&modlinkage, modinfop));
}

static void
cleanup(struct cipher_data_t *cd)
{
	if (cd->key != NULL) {
		bzero(cd->key, cd->keylen);
		kmem_free(cd->key, cd->keylen);
		cd->key = NULL;
	}

	if (cd->ckey != NULL) {
		/*
		 * ckey is a crypto_key_t structure which references
		 * "cd->key" for its raw key data.  Since that was already
		 * cleared out, we don't need another "bzero" here.
		 */
		kmem_free(cd->ckey, sizeof (crypto_key_t));
		cd->ckey = NULL;
	}

	if (cd->block != NULL) {
		kmem_free(cd->block, cd->blocklen);
		cd->block = NULL;
	}

	if (cd->saveblock != NULL) {
		kmem_free(cd->saveblock, cd->blocklen);
		cd->saveblock = NULL;
	}

	if (cd->ivec != NULL) {
		kmem_free(cd->ivec, cd->ivlen);
		cd->ivec = NULL;
	}

	if (cd->d_encr_key.ck_data != NULL) {
		bzero(cd->d_encr_key.ck_data, cd->keylen);
		kmem_free(cd->d_encr_key.ck_data, cd->keylen);
	}

	if (cd->d_hmac_key.ck_data != NULL) {
		bzero(cd->d_hmac_key.ck_data, cd->keylen);
		kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
	}

	if (cd->enc_tmpl != NULL)
		(void) crypto_destroy_ctx_template(cd->enc_tmpl);

	if (cd->hmac_tmpl != NULL)
		(void) crypto_destroy_ctx_template(cd->hmac_tmpl);

	if (cd->ctx != NULL) {
		crypto_cancel_ctx(cd->ctx);
		cd->ctx = NULL;
	}
}

/* ARGSUSED */
static int
cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp)
{
	struct tmodinfo	*tmi;
	ASSERT(rq);

	if (sflag != MODOPEN)
		return (EINVAL);

	(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
			"cryptmodopen: opening module(PID %d)",
			ddi_get_pid()));

	if (rq->q_ptr != NULL) {
		cmn_err(CE_WARN, "cryptmodopen: already opened");
		return (0);
	}

	/*
	 * Allocate and initialize per-Stream structure.
	 */
	tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo),
						KM_SLEEP);

	tmi->enc_data.method = CRYPT_METHOD_NONE;
	tmi->dec_data.method = CRYPT_METHOD_NONE;

	tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY);

	rq->q_ptr = WR(rq)->q_ptr = tmi;

	sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC);
	md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC);
	sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1);
	md5_hash_mech = crypto_mech2id(SUN_CKM_MD5);

	qprocson(rq);

	return (0);
}

/* ARGSUSED */
static int
cryptmodclose(queue_t *rq, int flags __unused, cred_t *credp __unused)
{
	struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr;
	ASSERT(tmi);

	qprocsoff(rq);

	cleanup(&tmi->enc_data);
	cleanup(&tmi->dec_data);

	kmem_free(tmi, sizeof (struct tmodinfo));
	rq->q_ptr = WR(rq)->q_ptr = NULL;

	return (0);
}

/*
 * plaintext_offset
 *
 * Calculate exactly how much space is needed in front
 * of the "plaintext" in an mbuf so it can be positioned
 * 1 time instead of potentially moving the data multiple
 * times.
 */
static int
plaintext_offset(struct cipher_data_t *cd)
{
	int headspace = 0;

	/* 4 byte length prepended to all RCMD msgs */
	if (ANY_RCMD_MODE(cd->option_mask))
		headspace += RCMD_LEN_SZ;

	/* RCMD V2 mode adds an additional 4 byte plaintext length */
	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2)
		headspace += RCMD_LEN_SZ;

	/* Need extra space for hash and counfounder */
	switch (cd->method) {
	case CRYPT_METHOD_DES_CBC_NULL:
		headspace += null_hash.hash_len + null_hash.confound_len;
		break;
	case CRYPT_METHOD_DES_CBC_CRC:
		headspace += crc32_hash.hash_len + crc32_hash.confound_len;
		break;
	case CRYPT_METHOD_DES_CBC_MD5:
		headspace += md5_hash.hash_len + md5_hash.confound_len;
		break;
	case CRYPT_METHOD_DES3_CBC_SHA1:
		headspace += sha1_hash.confound_len;
		break;
	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
		headspace += md5_hash.hash_len + md5_hash.confound_len;
		break;
	case CRYPT_METHOD_AES128:
	case CRYPT_METHOD_AES256:
		headspace += DEFAULT_AES_BLOCKLEN;
		break;
	case CRYPT_METHOD_DES_CFB:
	case CRYPT_METHOD_NONE:
		break;
	}

	return (headspace);
}
/*
 * encrypt_size
 *
 * Calculate the resulting size when encrypting 'plainlen' bytes
 * of data.
 */
static size_t
encrypt_size(struct cipher_data_t *cd, size_t plainlen)
{
	size_t cipherlen;

	switch (cd->method) {
	case CRYPT_METHOD_DES_CBC_NULL:
		cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len +
					    plainlen, 8);
		break;
	case CRYPT_METHOD_DES_CBC_MD5:
		cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len +
					    md5_hash.confound_len +
					    plainlen, 8);
		break;
	case CRYPT_METHOD_DES_CBC_CRC:
		cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len +
					    crc32_hash.confound_len +
					    plainlen, 8);
		break;
	case CRYPT_METHOD_DES3_CBC_SHA1:
		cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len +
					    plainlen, 8) +
					    sha1_hash.hash_len;
		break;
	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
		cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len +
				plainlen, 1) + md5_hash.hash_len;
		break;
	case CRYPT_METHOD_AES128:
	case CRYPT_METHOD_AES256:
		/* No roundup for AES-CBC-CTS */
		cipherlen = DEFAULT_AES_BLOCKLEN + plainlen +
			AES_TRUNCATED_HMAC_LEN;
		break;
	case CRYPT_METHOD_DES_CFB:
	case CRYPT_METHOD_NONE:
		cipherlen = plainlen;
		break;
	}

	return (cipherlen);
}

/*
 * des_cfb_encrypt
 *
 * Encrypt the mblk data using DES with cipher feedback.
 *
 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
 * vector, D[n] is the nth chunk of 64 bits of data to encrypt
 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
 * (decrypted) data, then:
 *
 *  V[0] = DES(V[i], key)
 *  O[n] = D[n] <exclusive or > V[n]
 *  V[n+1] = DES(O[n], key)
 *
 * The size of the message being encrypted does not change in this
 * algorithm, num_bytes in == num_bytes out.
 */
static mblk_t *
des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
{
	int savedbytes;
	char *iptr, *optr, *lastoutput;

	lastoutput = optr = (char *)mp->b_rptr;
	iptr = (char *)mp->b_rptr;
	savedbytes = tmi->enc_data.bytes % CFB_BLKSZ;

	while (iptr < (char *)mp->b_wptr) {
		/*
		 * Do DES-ECB.
		 * The first time this runs, the 'tmi->enc_data.block' will
		 * contain the initialization vector that should have been
		 * passed in with the SETUP ioctl.
		 *
		 * V[n] = DES(V[n-1], key)
		 */
		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
			int retval = 0;
			retval = kef_crypt(&tmi->enc_data,
					tmi->enc_data.block,
					CRYPTO_DATA_RAW,
					tmi->enc_data.blocklen,
					CRYPT_ENCRYPT);

			if (retval != CRYPTO_SUCCESS) {
#ifdef DEBUG
				cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt "
					"failed - error 0x%0x", retval);
#endif
				mp->b_datap->db_type = M_ERROR;
				mp->b_rptr = mp->b_datap->db_base;
				*mp->b_rptr = EIO;
				mp->b_wptr = mp->b_rptr + sizeof (char);
				freemsg(mp->b_cont);
				mp->b_cont = NULL;
				qreply(WR(q), mp);
				return (NULL);
			}
		}

		/* O[n] = I[n] ^ V[n] */
		*(optr++) = *(iptr++) ^
		    tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ];

		tmi->enc_data.bytes++;
		/*
		 * Feedback the encrypted output as the input to next DES call.
		 */
		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
			char *dbptr = tmi->enc_data.block;
			/*
			 * Get the last bits of input from the previous
			 * msg block that we haven't yet used as feedback input.
			 */
			if (savedbytes > 0) {
				bcopy(tmi->enc_data.saveblock,
				    dbptr, (size_t)savedbytes);
				dbptr += savedbytes;
			}

			/*
			 * Now copy the correct bytes from the current input
			 * stream and update the 'lastoutput' ptr
			 */
			bcopy(lastoutput, dbptr,
				(size_t)(CFB_BLKSZ - savedbytes));

			lastoutput += (CFB_BLKSZ - savedbytes);
			savedbytes = 0;
		}
	}
	/*
	 * If there are bytes of input here that we need in the next
	 * block to build an ivec, save them off here.
	 */
	if (lastoutput < optr) {
		bcopy(lastoutput,
		    tmi->enc_data.saveblock + savedbytes,
		    (uint_t)(optr - lastoutput));
	}
	return (mp);
}

/*
 * des_cfb_decrypt
 *
 * Decrypt the data in the mblk using DES in Cipher Feedback mode
 *
 * # bytes in == # bytes out, no padding, confounding, or hashing
 * is added.
 *
 */
static mblk_t *
des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
{
	uint_t len;
	uint_t savedbytes;
	char *iptr;
	char *lastinput;
	uint_t cp;

	len = MBLKL(mp);

	/* decrypted output goes into the new data buffer */
	lastinput = iptr = (char *)mp->b_rptr;

	savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen;

	/*
	 * Save the input CFB_BLKSZ bytes at a time.
	 * We are trying to decrypt in-place, but need to keep
	 * a small sliding window of encrypted text to be
	 * used to construct the feedback buffer.
	 */
	cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len :
		tmi->dec_data.blocklen - savedbytes);

	bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp);
	savedbytes += cp;

	lastinput += cp;

	while (iptr < (char *)mp->b_wptr) {
		/*
		 * Do DES-ECB.
		 * The first time this runs, the 'tmi->dec_data.block' will
		 * contain the initialization vector that should have been
		 * passed in with the SETUP ioctl.
		 */
		if (!(tmi->dec_data.bytes % CFB_BLKSZ)) {
			int retval;
			retval = kef_crypt(&tmi->dec_data,
					tmi->dec_data.block,
					CRYPTO_DATA_RAW,
					tmi->dec_data.blocklen,
					CRYPT_ENCRYPT);

			if (retval != CRYPTO_SUCCESS) {
#ifdef DEBUG
				cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt "
					"failed - status 0x%0x", retval);
#endif
				mp->b_datap->db_type = M_ERROR;
				mp->b_rptr = mp->b_datap->db_base;
				*mp->b_rptr = EIO;
				mp->b_wptr = mp->b_rptr + sizeof (char);
				freemsg(mp->b_cont);
				mp->b_cont = NULL;
				qreply(WR(q), mp);
				return (NULL);
			}
		}

		/*
		 * To decrypt, XOR the input with the output from the DES call
		 */
		*(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes %
				CFB_BLKSZ];

		tmi->dec_data.bytes++;

		/*
		 * Feedback the encrypted input for next DES call.
		 */
		if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) {
			char *dbptr = tmi->dec_data.block;
			/*
			 * Get the last bits of input from the previous block
			 * that we haven't yet processed.
			 */
			if (savedbytes > 0) {
				bcopy(tmi->dec_data.saveblock,
				    dbptr, savedbytes);
				dbptr += savedbytes;
			}

			savedbytes = 0;

			/*
			 * This block makes sure that our local
			 * buffer of input data is full and can
			 * be accessed from the beginning.
			 */
			if (lastinput < (char *)mp->b_wptr) {

				/* How many bytes are left in the mblk? */
				cp = (((char *)mp->b_wptr - lastinput) >
					tmi->dec_data.blocklen ?
					tmi->dec_data.blocklen :
					(char *)mp->b_wptr - lastinput);

				/* copy what we need */
				bcopy(lastinput, tmi->dec_data.saveblock,
					cp);

				lastinput += cp;
				savedbytes = cp;
			}
		}
	}

	return (mp);
}

/*
 * crc32_calc
 *
 * Compute a CRC32 checksum on the input
 */
static int
crc32_calc(uchar_t *buf, uchar_t *input, uint_t len)
{
	uint32_t crc;

	CRC32(crc, input, len, 0, crc32_table);

	buf[0] = (uchar_t)(crc & 0xff);
	buf[1] = (uchar_t)((crc >> 8) & 0xff);
	buf[2] = (uchar_t)((crc >> 16) & 0xff);
	buf[3] = (uchar_t)((crc >> 24) & 0xff);

	return (CRYPTO_SUCCESS);
}

static int
kef_digest(crypto_mech_type_t digest_type,
	uchar_t *input, uint_t inlen,
	uchar_t *output, uint_t hashlen)
{
	iovec_t v1, v2;
	crypto_data_t d1, d2;
	crypto_mechanism_t mech;
	int rv;

	mech.cm_type = digest_type;
	mech.cm_param = 0;
	mech.cm_param_len = 0;

	v1.iov_base = (void *)input;
	v1.iov_len = inlen;

	d1.cd_format = CRYPTO_DATA_RAW;
	d1.cd_offset = 0;
	d1.cd_length = v1.iov_len;
	d1.cd_raw = v1;

	v2.iov_base = (void *)output;
	v2.iov_len = hashlen;

	d2.cd_format = CRYPTO_DATA_RAW;
	d2.cd_offset = 0;
	d2.cd_length = v2.iov_len;
	d2.cd_raw = v2;

	rv = crypto_digest(&mech, &d1, &d2, NULL);

	return (rv);
}

/*
 * sha1_calc
 *
 * Get a SHA1 hash on the input data.
 */
static int
sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen)
{
	int rv;

	rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE);

	return (rv);
}

/*
 * Get an MD5 hash on the input data.
 * md5_calc
 *
 */
static int
md5_calc(uchar_t *output, uchar_t *input, uint_t inlen)
{
	int rv;

	rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE);

	return (rv);
}

/*
 * nfold
 * duplicate the functionality of the krb5_nfold function from
 * the userland kerberos mech.
 * This is needed to derive keys for use with 3DES/SHA1-HMAC
 * ciphers.
 */
static void
nfold(int inbits, uchar_t *in, int outbits, uchar_t *out)
{
	int a, b, c, lcm;
	int byte, i, msbit;

	inbits >>= 3;
	outbits >>= 3;

	/* first compute lcm(n,k) */
	a = outbits;
	b = inbits;

	while (b != 0) {
		c = b;
		b = a%b;
		a = c;
	}

	lcm = outbits*inbits/a;

	/* now do the real work */

	bzero(out, outbits);
	byte = 0;

	/*
	 * Compute the msbit in k which gets added into this byte
	 * first, start with the msbit in the first, unrotated byte
	 * then, for each byte, shift to the right for each repetition
	 * last, pick out the correct byte within that shifted repetition
	 */
	for (i = lcm-1; i >= 0; i--) {
		msbit = (((inbits<<3)-1)
			+(((inbits<<3)+13)*(i/inbits))
			+((inbits-(i%inbits))<<3)) %(inbits<<3);

		/* pull out the byte value itself */
		byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)|
			(in[((inbits)-(msbit>>3))%inbits]))
			>>((msbit&7)+1))&0xff;

		/* do the addition */
		byte += out[i%outbits];
		out[i%outbits] = byte&0xff;

		byte >>= 8;
	}

	/* if there's a carry bit left over, add it back in */
	if (byte) {
		for (i = outbits-1; i >= 0; i--) {
			/* do the addition */
			byte += out[i];
			out[i] = byte&0xff;

			/* keep around the carry bit, if any */
			byte >>= 8;
		}
	}
}

#define	smask(step) ((1<<step)-1)
#define	pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
#define	parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)

/*
 * Duplicate the functionality of the "dk_derive_key" function
 * in the Kerberos mechanism.
 */
static int
derive_key(struct cipher_data_t *cdata, uchar_t *constdata,
	int constlen, char *dkey, int keybytes,
	int blocklen)
{
	int rv = 0;
	int n = 0, i;
	char *inblock;
	char *rawkey;
	char *zeroblock;
	char *saveblock;

	inblock = kmem_zalloc(blocklen, KM_SLEEP);
	rawkey = kmem_zalloc(keybytes, KM_SLEEP);
	zeroblock = kmem_zalloc(blocklen, KM_SLEEP);

	if (constlen == blocklen)
		bcopy(constdata, inblock, blocklen);
	else
		nfold(constlen * 8, constdata,
			blocklen * 8, (uchar_t *)inblock);

	/*
	 * zeroblock is an IV of all 0's.
	 *
	 * The "block" section of the cdata record is used as the
	 * IV for crypto operations in the kef_crypt function.
	 *
	 * We use 'block' as a generic IV data buffer because it
	 * is attached to the stream state data and thus can
	 * be used to hold information that must carry over
	 * from processing of one mblk to another.
	 *
	 * Here, we save the current IV and replace it with
	 * and empty IV (all 0's) for use when deriving the
	 * keys.  Once the key derivation is done, we swap the
	 * old IV back into place.
	 */
	saveblock = cdata->block;
	cdata->block = zeroblock;

	while (n < keybytes) {
		rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW,
				blocklen, CRYPT_ENCRYPT);
		if (rv != CRYPTO_SUCCESS) {
			/* put the original IV block back in place */
			cdata->block = saveblock;
			cmn_err(CE_WARN, "failed to derive a key: %0x", rv);
			goto cleanup;
		}

		if (keybytes - n < blocklen) {
			bcopy(inblock, rawkey+n, (keybytes-n));
			break;
		}
		bcopy(inblock, rawkey+n, blocklen);
		n += blocklen;
	}
	/* put the original IV block back in place */
	cdata->block = saveblock;

	/* finally, make the key */
	if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) {
		/*
		 * 3DES key derivation requires that we make sure the
		 * key has the proper parity.
		 */
		for (i = 0; i < 3; i++) {
			bcopy(rawkey+(i*7), dkey+(i*8), 7);

			/* 'dkey' is our derived key output buffer */
			dkey[i*8+7] = (((dkey[i*8]&1)<<1) |
					((dkey[i*8+1]&1)<<2) |
					((dkey[i*8+2]&1)<<3) |
					((dkey[i*8+3]&1)<<4) |
					((dkey[i*8+4]&1)<<5) |
					((dkey[i*8+5]&1)<<6) |
					((dkey[i*8+6]&1)<<7));

			for (n = 0; n < 8; n++) {
				dkey[i*8 + n] &=  0xfe;
				dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]);
			}
		}
	} else if (IS_AES_METHOD(cdata->method)) {
		bcopy(rawkey, dkey, keybytes);
	}
cleanup:
	kmem_free(inblock, blocklen);
	kmem_free(zeroblock, blocklen);
	kmem_free(rawkey, keybytes);
	return (rv);
}

/*
 * create_derived_keys
 *
 * Algorithm for deriving a new key and an HMAC key
 * before computing the 3DES-SHA1-HMAC operation on the plaintext
 * This algorithm matches the work done by Kerberos mechanism
 * in userland.
 */
static int
create_derived_keys(struct cipher_data_t *cdata, uint32_t usage,
		crypto_key_t *enckey, crypto_key_t *hmackey)
{
	uchar_t constdata[K5CLENGTH];
	int keybytes;
	int rv;

	constdata[0] = (usage>>24)&0xff;
	constdata[1] = (usage>>16)&0xff;
	constdata[2] = (usage>>8)&0xff;
	constdata[3] = usage & 0xff;
	/* Use "0xAA" for deriving encryption key */
	constdata[4] = 0xAA; /* from MIT Kerberos code */

	enckey->ck_length = cdata->keylen * 8;
	enckey->ck_format = CRYPTO_KEY_RAW;
	enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);

	switch (cdata->method) {
		case CRYPT_METHOD_DES_CFB:
		case CRYPT_METHOD_DES_CBC_NULL:
		case CRYPT_METHOD_DES_CBC_MD5:
		case CRYPT_METHOD_DES_CBC_CRC:
			keybytes = 8;
			break;
		case CRYPT_METHOD_DES3_CBC_SHA1:
			keybytes = CRYPT_DES3_KEYBYTES;
			break;
		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
			keybytes = CRYPT_ARCFOUR_KEYBYTES;
			break;
		case CRYPT_METHOD_AES128:
			keybytes = CRYPT_AES128_KEYBYTES;
			break;
		case CRYPT_METHOD_AES256:
			keybytes = CRYPT_AES256_KEYBYTES;
			break;
	}

	/* derive main crypto key */
	rv = derive_key(cdata, constdata, sizeof (constdata),
		enckey->ck_data, keybytes, cdata->blocklen);

	if (rv == CRYPTO_SUCCESS) {

		/* Use "0x55" for deriving mac key */
		constdata[4] = 0x55;

		hmackey->ck_length = cdata->keylen * 8;
		hmackey->ck_format = CRYPTO_KEY_RAW;
		hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);

		rv = derive_key(cdata, constdata, sizeof (constdata),
				hmackey->ck_data, keybytes,
				cdata->blocklen);
	} else {
		cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv);
	}

	return (rv);
}

/*
 * Compute 3-DES crypto and HMAC.
 */
static int
kef_decr_hmac(struct cipher_data_t *cdata,
	mblk_t *mp, int length,
	char *hmac, int hmaclen)
{
	int rv = CRYPTO_FAILED;

	crypto_mechanism_t encr_mech;
	crypto_mechanism_t mac_mech;
	crypto_data_t dd;
	crypto_data_t mac;
	iovec_t v1;

	ASSERT(cdata != NULL);
	ASSERT(mp != NULL);
	ASSERT(hmac != NULL);

	bzero(&dd, sizeof (dd));
	dd.cd_format = CRYPTO_DATA_MBLK;
	dd.cd_offset = 0;
	dd.cd_length = length;
	dd.cd_mp = mp;

	v1.iov_base = hmac;
	v1.iov_len = hmaclen;

	mac.cd_format = CRYPTO_DATA_RAW;
	mac.cd_offset = 0;
	mac.cd_length = hmaclen;
	mac.cd_raw = v1;

	/*
	 * cdata->block holds the IVEC
	 */
	encr_mech.cm_type = cdata->mech_type;
	encr_mech.cm_param = cdata->block;

	if (cdata->block != NULL)
		encr_mech.cm_param_len = cdata->blocklen;
	else
		encr_mech.cm_param_len = 0;

	rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key,
			cdata->enc_tmpl, NULL, NULL);
	if (rv != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv);
		return (rv);
	}

	mac_mech.cm_type = sha1_hmac_mech;
	mac_mech.cm_param = NULL;
	mac_mech.cm_param_len = 0;

	/*
	 * Compute MAC of the plaintext decrypted above.
	 */
	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
			cdata->hmac_tmpl, &mac, NULL);

	if (rv != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
	}

	return (rv);
}

/*
 * Compute 3-DES crypto and HMAC.
 */
static int
kef_encr_hmac(struct cipher_data_t *cdata,
	mblk_t *mp, int length,
	char *hmac, int hmaclen)
{
	int rv = CRYPTO_FAILED;

	crypto_mechanism_t encr_mech;
	crypto_mechanism_t mac_mech;
	crypto_data_t dd;
	crypto_data_t mac;
	iovec_t v1;

	ASSERT(cdata != NULL);
	ASSERT(mp != NULL);
	ASSERT(hmac != NULL);

	bzero(&dd, sizeof (dd));
	dd.cd_format = CRYPTO_DATA_MBLK;
	dd.cd_offset = 0;
	dd.cd_length = length;
	dd.cd_mp = mp;

	v1.iov_base = hmac;
	v1.iov_len = hmaclen;

	mac.cd_format = CRYPTO_DATA_RAW;
	mac.cd_offset = 0;
	mac.cd_length = hmaclen;
	mac.cd_raw = v1;

	/*
	 * cdata->block holds the IVEC
	 */
	encr_mech.cm_type = cdata->mech_type;
	encr_mech.cm_param = cdata->block;

	if (cdata->block != NULL)
		encr_mech.cm_param_len = cdata->blocklen;
	else
		encr_mech.cm_param_len = 0;

	mac_mech.cm_type = sha1_hmac_mech;
	mac_mech.cm_param = NULL;
	mac_mech.cm_param_len = 0;

	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
			cdata->hmac_tmpl, &mac, NULL);

	if (rv != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
		return (rv);
	}

	rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key,
			cdata->enc_tmpl, NULL, NULL);
	if (rv != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv);
	}

	return (rv);
}

/*
 * kef_crypt
 *
 * Use the Kernel encryption framework to provide the
 * crypto operations for the indicated data.
 */
static int
kef_crypt(struct cipher_data_t *cdata,
	void *indata, crypto_data_format_t fmt,
	size_t length, int mode)
{
	int rv = CRYPTO_FAILED;

	crypto_mechanism_t mech;
	crypto_key_t crkey;
	iovec_t v1;
	crypto_data_t d1;

	ASSERT(cdata != NULL);
	ASSERT(indata != NULL);
	ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK);

	bzero(&crkey, sizeof (crkey));
	bzero(&d1, sizeof (d1));

	crkey.ck_format = CRYPTO_KEY_RAW;
	crkey.ck_data =  cdata->key;

	/* keys are measured in bits, not bytes, so multiply by 8 */
	crkey.ck_length = cdata->keylen * 8;

	if (fmt == CRYPTO_DATA_RAW) {
		v1.iov_base = (char *)indata;
		v1.iov_len = length;
	}

	d1.cd_format = fmt;
	d1.cd_offset = 0;
	d1.cd_length = length;
	if (fmt == CRYPTO_DATA_RAW)
		d1.cd_raw = v1;
	else if (fmt == CRYPTO_DATA_MBLK)
		d1.cd_mp = (mblk_t *)indata;

	mech.cm_type = cdata->mech_type;
	mech.cm_param = cdata->block;
	/*
	 * cdata->block holds the IVEC
	 */
	if (cdata->block != NULL)
		mech.cm_param_len = cdata->blocklen;
	else
		mech.cm_param_len = 0;

	/*
	 * encrypt and decrypt in-place
	 */
	if (mode == CRYPT_ENCRYPT)
		rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
	else
		rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL);

	if (rv != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "%s returned error %08x",
			(mode == CRYPT_ENCRYPT ? "crypto_encrypt" :
				"crypto_decrypt"), rv);
		return (CRYPTO_FAILED);
	}

	return (rv);
}

static int
do_hmac(crypto_mech_type_t mech,
	crypto_key_t *key,
	char *data, int datalen,
	char *hmac, int hmaclen)
{
	int rv = 0;
	crypto_mechanism_t mac_mech;
	crypto_data_t dd;
	crypto_data_t mac;
	iovec_t vdata, vmac;

	mac_mech.cm_type = mech;
	mac_mech.cm_param = NULL;
	mac_mech.cm_param_len = 0;

	vdata.iov_base = data;
	vdata.iov_len = datalen;

	bzero(&dd, sizeof (dd));
	dd.cd_format = CRYPTO_DATA_RAW;
	dd.cd_offset = 0;
	dd.cd_length = datalen;
	dd.cd_raw = vdata;

	vmac.iov_base = hmac;
	vmac.iov_len = hmaclen;

	mac.cd_format = CRYPTO_DATA_RAW;
	mac.cd_offset = 0;
	mac.cd_length = hmaclen;
	mac.cd_raw = vmac;

	/*
	 * Compute MAC of the plaintext decrypted above.
	 */
	rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL);

	if (rv != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
	}

	return (rv);
}

#define	XOR_BLOCK(src, dst) \
	(dst)[0] ^= (src)[0]; \
	(dst)[1] ^= (src)[1]; \
	(dst)[2] ^= (src)[2]; \
	(dst)[3] ^= (src)[3]; \
	(dst)[4] ^= (src)[4]; \
	(dst)[5] ^= (src)[5]; \
	(dst)[6] ^= (src)[6]; \
	(dst)[7] ^= (src)[7]; \
	(dst)[8] ^= (src)[8]; \
	(dst)[9] ^= (src)[9]; \
	(dst)[10] ^= (src)[10]; \
	(dst)[11] ^= (src)[11]; \
	(dst)[12] ^= (src)[12]; \
	(dst)[13] ^= (src)[13]; \
	(dst)[14] ^= (src)[14]; \
	(dst)[15] ^= (src)[15]

#define	xorblock(x, y) XOR_BLOCK(y, x)

static int
aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length)
{
	int result = CRYPTO_SUCCESS;
	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
	int nblocks = 0, blockno;
	crypto_data_t ct, pt;
	crypto_mechanism_t mech;

	mech.cm_type = tmi->enc_data.mech_type;
	if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) {
		bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
	} else {
		bzero(tmp, sizeof (tmp));
	}
	mech.cm_param = NULL;
	mech.cm_param_len = 0;

	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;

	bzero(&ct, sizeof (crypto_data_t));
	bzero(&pt, sizeof (crypto_data_t));

	if (nblocks == 1) {
		pt.cd_format = CRYPTO_DATA_RAW;
		pt.cd_length = length;
		pt.cd_raw.iov_base = (char *)plain;
		pt.cd_raw.iov_len = length;

		result = crypto_encrypt(&mech, &pt,
			&tmi->enc_data.d_encr_key, NULL, NULL, NULL);

		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
				"crypto_encrypt failed: %0x", result);
		}
	} else {
		size_t nleft;

		ct.cd_format = CRYPTO_DATA_RAW;
		ct.cd_offset = 0;
		ct.cd_length = DEFAULT_AES_BLOCKLEN;

		pt.cd_format = CRYPTO_DATA_RAW;
		pt.cd_offset = 0;
		pt.cd_length = DEFAULT_AES_BLOCKLEN;

		result = crypto_encrypt_init(&mech,
				&tmi->enc_data.d_encr_key,
				tmi->enc_data.enc_tmpl,
				&tmi->enc_data.ctx, NULL);

		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
				"crypto_encrypt_init failed: %0x", result);
			goto cleanup;
		}

		for (blockno = 0; blockno < nblocks - 2; blockno++) {
			xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN);

			pt.cd_raw.iov_base = (char *)tmp;
			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

			ct.cd_raw.iov_base = (char *)plain +
				blockno * DEFAULT_AES_BLOCKLEN;
			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

			result = crypto_encrypt_update(tmi->enc_data.ctx,
					&pt, &ct, NULL);

			if (result != CRYPTO_SUCCESS) {
				cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
					"crypto_encrypt_update failed: %0x",
					result);
				goto cleanup;
			}
			/* copy result over original bytes */
			/* make another copy for the next XOR step */
			bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN,
				tmp, DEFAULT_AES_BLOCKLEN);
		}
		/* XOR cipher text from n-3 with plain text from n-2 */
		xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN);

		pt.cd_raw.iov_base = (char *)tmp;
		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

		ct.cd_raw.iov_base = (char *)tmp2;
		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

		/* encrypt XOR-ed block N-2 */
		result = crypto_encrypt_update(tmi->enc_data.ctx,
				&pt, &ct, NULL);
		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
				"crypto_encrypt_update(2) failed: %0x",
				result);
			goto cleanup;
		}
		nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN;

		bzero(tmp3, sizeof (tmp3));
		/* Save final plaintext bytes from n-1 */
		bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
			nleft);

		/* Overwrite n-1 with cipher text from n-2 */
		bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
			nleft);

		bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN);
		/* XOR cipher text from n-1 with plain text from n-1 */
		xorblock(tmp, tmp3);

		pt.cd_raw.iov_base = (char *)tmp;
		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

		ct.cd_raw.iov_base = (char *)tmp2;
		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

		/* encrypt block N-2 */
		result = crypto_encrypt_update(tmi->enc_data.ctx,
			&pt, &ct, NULL);

		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
				"crypto_encrypt_update(3) failed: %0x",
				result);
			goto cleanup;
		}

		bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
			DEFAULT_AES_BLOCKLEN);


		ct.cd_raw.iov_base = (char *)tmp2;
		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

		/*
		 * Ignore the output on the final step.
		 */
		result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL);
		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
				"crypto_encrypt_final(3) failed: %0x",
				result);
		}
		tmi->enc_data.ctx = NULL;
	}
cleanup:
	bzero(tmp, sizeof (tmp));
	bzero(tmp2, sizeof (tmp));
	bzero(tmp3, sizeof (tmp));
	bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
	return (result);
}

static int
aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length)
{
	int result = CRYPTO_SUCCESS;
	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
	int nblocks = 0, blockno;
	crypto_data_t ct, pt;
	crypto_mechanism_t mech;

	mech.cm_type = tmi->enc_data.mech_type;

	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
	    tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) {
		bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
	} else {
		bzero(tmp, sizeof (tmp));
	}
	mech.cm_param_len = 0;
	mech.cm_param = NULL;

	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;

	bzero(&pt, sizeof (pt));
	bzero(&ct, sizeof (ct));

	if (nblocks == 1) {
		ct.cd_format = CRYPTO_DATA_RAW;
		ct.cd_length = length;
		ct.cd_raw.iov_base = (char *)buff;
		ct.cd_raw.iov_len = length;

		result = crypto_decrypt(&mech, &ct,
			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);

		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
				"crypto_decrypt failed: %0x", result);
			goto cleanup;
		}
	} else {
		ct.cd_format = CRYPTO_DATA_RAW;
		ct.cd_offset = 0;
		ct.cd_length = DEFAULT_AES_BLOCKLEN;

		pt.cd_format = CRYPTO_DATA_RAW;
		pt.cd_offset = 0;
		pt.cd_length = DEFAULT_AES_BLOCKLEN;

		result = crypto_decrypt_init(&mech,
				&tmi->dec_data.d_encr_key,
				tmi->dec_data.enc_tmpl,
				&tmi->dec_data.ctx, NULL);

		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
				"crypto_decrypt_init failed: %0x", result);
			goto cleanup;
		}
		for (blockno = 0; blockno < nblocks - 2; blockno++) {
			ct.cd_raw.iov_base = (char *)buff +
				(blockno * DEFAULT_AES_BLOCKLEN);
			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

			pt.cd_raw.iov_base = (char *)tmp2;
			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

			/*
			 * Save the input to the decrypt so it can
			 * be used later for an XOR operation
			 */
			bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN),
				tmi->dec_data.block, DEFAULT_AES_BLOCKLEN);

			result = crypto_decrypt_update(tmi->dec_data.ctx,
					&ct, &pt, NULL);
			if (result != CRYPTO_SUCCESS) {
				cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
					"crypto_decrypt_update(1) error - "
					"result = 0x%08x", result);
				goto cleanup;
			}
			xorblock(tmp2, tmp);
			bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN,
				DEFAULT_AES_BLOCKLEN);
			/*
			 * The original cipher text is used as the xor
			 * for the next block, save it here.
			 */
			bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN);
		}
		ct.cd_raw.iov_base = (char *)buff +
			((nblocks - 2) * DEFAULT_AES_BLOCKLEN);
		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
		pt.cd_raw.iov_base = (char *)tmp2;
		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

		result = crypto_decrypt_update(tmi->dec_data.ctx,
				&ct, &pt, NULL);
		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN,
				"aes_cbc_cts_decrypt: "
				"crypto_decrypt_update(2) error -"
				" result = 0x%08x", result);
			goto cleanup;
		}
		bzero(tmp3, sizeof (tmp3));
		bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));

		xorblock(tmp2, tmp3);
		bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));

		/* 2nd to last block ... */
		bcopy(tmp3, tmp2,
			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));

		ct.cd_raw.iov_base = (char *)tmp2;
		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
		pt.cd_raw.iov_base = (char *)tmp3;
		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;

		result = crypto_decrypt_update(tmi->dec_data.ctx,
				&ct, &pt, NULL);
		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN,
				"aes_cbc_cts_decrypt: "
				"crypto_decrypt_update(3) error - "
				"result = 0x%08x", result);
			goto cleanup;
		}
		xorblock(tmp3, tmp);


		/* Finally, update the 2nd to last block and we are done. */
		bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
			DEFAULT_AES_BLOCKLEN);

		/* Do Final step, but ignore output */
		pt.cd_raw.iov_base = (char *)tmp2;
		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
		result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL);
		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
				"crypto_decrypt_final error - "
				"result = 0x%0x", result);
		}
		tmi->dec_data.ctx = NULL;
	}

cleanup:
	bzero(tmp, sizeof (tmp));
	bzero(tmp2, sizeof (tmp));
	bzero(tmp3, sizeof (tmp));
	bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
	return (result);
}

/*
 * AES decrypt
 *
 * format of ciphertext when using AES
 *  +-------------+------------+------------+
 *  |  confounder | msg-data   |  hmac      |
 *  +-------------+------------+------------+
 */
static mblk_t *
aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
	hash_info_t *hash)
{
	int result;
	size_t enclen;
	size_t inlen;
	uchar_t hmacbuff[64];
	uchar_t tmpiv[DEFAULT_AES_BLOCKLEN];

	inlen = (size_t)MBLKL(mp);

	enclen = inlen - AES_TRUNCATED_HMAC_LEN;
	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) {
		int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) /
				DEFAULT_AES_BLOCKLEN;
		bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2),
			tmpiv, DEFAULT_AES_BLOCKLEN);
	}

	/* AES Decrypt */
	result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen);

	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN,
			"aes_decrypt:  aes_cbc_cts_decrypt "
			"failed - error %0x", result);
		goto cleanup;
	}

	/* Verify the HMAC */
	result = do_hmac(sha1_hmac_mech,
			&tmi->dec_data.d_hmac_key,
			(char *)mp->b_rptr, enclen,
			(char *)hmacbuff, hash->hash_len);

	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN,
			"aes_decrypt:  do_hmac failed - error %0x", result);
		goto cleanup;
	}

	if (bcmp(hmacbuff, mp->b_rptr + enclen,
		AES_TRUNCATED_HMAC_LEN) != 0) {
		result = -1;
		cmn_err(CE_WARN, "aes_decrypt: checksum verification failed");
		goto cleanup;
	}

	/* truncate the mblk at the end of the decrypted text */
	mp->b_wptr = mp->b_rptr + enclen;

	/* Adjust the beginning of the buffer to skip the confounder */
	mp->b_rptr += DEFAULT_AES_BLOCKLEN;

	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0)
		bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN);

cleanup:
	if (result != CRYPTO_SUCCESS) {
		mp->b_datap->db_type = M_ERROR;
		mp->b_rptr = mp->b_datap->db_base;
		*mp->b_rptr = EIO;
		mp->b_wptr = mp->b_rptr + sizeof (char);
		freemsg(mp->b_cont);
		mp->b_cont = NULL;
		qreply(WR(q), mp);
		return (NULL);
	}
	return (mp);
}

/*
 * AES encrypt
 *
 * format of ciphertext when using AES
 *  +-------------+------------+------------+
 *  |  confounder | msg-data   |  hmac      |
 *  +-------------+------------+------------+
 */
static mblk_t *
aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
	hash_info_t *hash)
{
	int result;
	size_t cipherlen;
	size_t inlen;
	uchar_t hmacbuff[64];

	inlen = (size_t)MBLKL(mp);

	cipherlen = encrypt_size(&tmi->enc_data, inlen);

	ASSERT(MBLKSIZE(mp) >= cipherlen);

	/*
	 * Shift the rptr back enough to insert the confounder.
	 */
	mp->b_rptr -= DEFAULT_AES_BLOCKLEN;

	/* Get random data for confounder */
	(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
		DEFAULT_AES_BLOCKLEN);

	/*
	 * Because we encrypt in-place, we need to calculate
	 * the HMAC of the plaintext now, then stick it on
	 * the end of the ciphertext down below.
	 */
	result = do_hmac(sha1_hmac_mech,
			&tmi->enc_data.d_hmac_key,
			(char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen,
			(char *)hmacbuff, hash->hash_len);

	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "aes_encrypt:  do_hmac failed - error %0x",
			result);
		goto cleanup;
	}
	/* Encrypt using AES-CBC-CTS */
	result = aes_cbc_cts_encrypt(tmi, mp->b_rptr,
		inlen + DEFAULT_AES_BLOCKLEN);

	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "aes_encrypt:  aes_cbc_cts_encrypt "
			"failed - error %0x", result);
		goto cleanup;
	}

	/* copy the truncated HMAC to the end of the mblk */
	bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen,
		AES_TRUNCATED_HMAC_LEN);

	mp->b_wptr = mp->b_rptr + cipherlen;

	/*
	 * The final block of cipher text (not the HMAC) is used
	 * as the next IV.
	 */
	if (tmi->enc_data.ivec_usage != IVEC_NEVER &&
	    tmi->enc_data.ivec != NULL) {
		int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) /
			DEFAULT_AES_BLOCKLEN;

		bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
			tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN);
	}

cleanup:
	if (result != CRYPTO_SUCCESS) {
		mp->b_datap->db_type = M_ERROR;
		mp->b_rptr = mp->b_datap->db_base;
		*mp->b_rptr = EIO;
		mp->b_wptr = mp->b_rptr + sizeof (char);
		freemsg(mp->b_cont);
		mp->b_cont = NULL;
		qreply(WR(q), mp);
		return (NULL);
	}
	return (mp);
}

/*
 * ARCFOUR-HMAC-MD5 decrypt
 *
 * format of ciphertext when using ARCFOUR-HMAC-MD5
 *  +-----------+------------+------------+
 *  |  hmac     | confounder |  msg-data  |
 *  +-----------+------------+------------+
 *
 */
static mblk_t *
arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
			hash_info_t *hash)
{
	int result;
	size_t cipherlen;
	size_t inlen;
	size_t saltlen;
	crypto_key_t k1, k2;
	crypto_data_t indata;
	iovec_t v1;
	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
				0xab, 0xab, 0xab, 0xab };
	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
	uchar_t cksum[MD5_HASHSIZE];
	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
	crypto_mechanism_t mech;
	int usage;

	bzero(&indata, sizeof (indata));

	/* The usage constant is 1026 for all "old" rcmd mode operations */
	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
		usage = RCMDV1_USAGE;
	else
		usage = ARCFOUR_DECRYPT_USAGE;

	/*
	 * The size at this point should be the size of
	 * all the plaintext plus the optional plaintext length
	 * needed for RCMD V2 mode.  There should also be room
	 * at the head of the mblk for the confounder and hash info.
	 */
	inlen = (size_t)MBLKL(mp);

	/*
	 * The cipherlen does not include the HMAC at the
	 * head of the buffer.
	 */
	cipherlen = inlen - hash->hash_len;

	ASSERT(MBLKSIZE(mp) >= cipherlen);
	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
		saltdata[9] = 0;
		saltdata[10] = usage & 0xff;
		saltdata[11] = (usage >> 8) & 0xff;
		saltdata[12] = (usage >> 16) & 0xff;
		saltdata[13] = (usage >> 24) & 0xff;
		saltlen = 14;
	} else {
		saltdata[0] = usage & 0xff;
		saltdata[1] = (usage >> 8) & 0xff;
		saltdata[2] = (usage >> 16) & 0xff;
		saltdata[3] = (usage >> 24) & 0xff;
		saltlen = 4;
	}
	/*
	 * Use the salt value to create a key to be used
	 * for subsequent HMAC operations.
	 */
	result = do_hmac(md5_hmac_mech,
			tmi->dec_data.ckey,
			(char *)saltdata, saltlen,
			(char *)k1data, sizeof (k1data));
	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN,
			"arcfour_hmac_md5_decrypt:  do_hmac(k1)"
			"failed - error %0x", result);
		goto cleanup;
	}
	bcopy(k1data, k2data, sizeof (k1data));

	/*
	 * For the neutered MS RC4 encryption type,
	 * set the trailing 9 bytes to 0xab per the
	 * RC4-HMAC spec.
	 */
	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
	}

	mech.cm_type = tmi->dec_data.mech_type;
	mech.cm_param = NULL;
	mech.cm_param_len = 0;

	/*
	 * If we have not yet initialized the decryption key,
	 * context, and template, do it now.
	 */
	if (tmi->dec_data.ctx == NULL ||
	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
		k1.ck_format = CRYPTO_KEY_RAW;
		k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8;
		k1.ck_data = k1data;

		tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW;
		tmi->dec_data.d_encr_key.ck_length = k1.ck_length;
		if (tmi->dec_data.d_encr_key.ck_data == NULL)
			tmi->dec_data.d_encr_key.ck_data = kmem_zalloc(
				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);

		/*
		 * HMAC operation creates the encryption
		 * key to be used for the decrypt operations.
		 */
		result = do_hmac(md5_hmac_mech, &k1,
			(char *)mp->b_rptr, hash->hash_len,
			(char *)tmi->dec_data.d_encr_key.ck_data,
			CRYPT_ARCFOUR_KEYBYTES);


		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN,
				"arcfour_hmac_md5_decrypt:  do_hmac(k3)"
				"failed - error %0x", result);
			goto cleanup;
		}
	}

	tmi->dec_data.enc_tmpl = NULL;

	if (tmi->dec_data.ctx == NULL &&
	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
		/*
		 * Only create a template if we are doing
		 * chaining from block to block.
		 */
		result = crypto_create_ctx_template(&mech,
			&tmi->dec_data.d_encr_key,
			&tmi->dec_data.enc_tmpl,
			KM_SLEEP);
		if (result == CRYPTO_NOT_SUPPORTED) {
			tmi->dec_data.enc_tmpl = NULL;
		} else if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN,
				"arcfour_hmac_md5_decrypt:  "
				"failed to create dec template "
				"for RC4 encrypt: %0x", result);
			goto cleanup;
		}

		result = crypto_decrypt_init(&mech,
			&tmi->dec_data.d_encr_key,
			tmi->dec_data.enc_tmpl,
			&tmi->dec_data.ctx, NULL);

		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "crypto_decrypt_init failed:"
				" %0x", result);
			goto cleanup;
		}
	}

	/* adjust the rptr so we don't decrypt the original hmac field */

	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
	v1.iov_len = cipherlen;

	indata.cd_format = CRYPTO_DATA_RAW;
	indata.cd_offset = 0;
	indata.cd_length = cipherlen;
	indata.cd_raw = v1;

	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
		result = crypto_decrypt_update(tmi->dec_data.ctx,
			&indata, NULL, NULL);
	else
		result = crypto_decrypt(&mech, &indata,
			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);

	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "crypto_decrypt_update failed:"
			" %0x", result);
		goto cleanup;
	}

	k2.ck_format = CRYPTO_KEY_RAW;
	k2.ck_length = sizeof (k2data) * 8;
	k2.ck_data = k2data;

	result = do_hmac(md5_hmac_mech,
			&k2,
			(char *)mp->b_rptr + hash->hash_len, cipherlen,
			(char *)cksum, hash->hash_len);

	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN,
			"arcfour_hmac_md5_decrypt:  do_hmac(k2)"
			"failed - error %0x", result);
		goto cleanup;
	}

	if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) {
		cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed");
		result = -1;
		goto cleanup;
	}

	/*
	 * adjust the start of the mblk to skip over the
	 * hash and confounder.
	 */
	mp->b_rptr += hash->hash_len + hash->confound_len;

cleanup:
	bzero(k1data, sizeof (k1data));
	bzero(k2data, sizeof (k2data));
	bzero(cksum, sizeof (cksum));
	bzero(saltdata, sizeof (saltdata));
	if (result != CRYPTO_SUCCESS) {
		mp->b_datap->db_type = M_ERROR;
		mp->b_rptr = mp->b_datap->db_base;
		*mp->b_rptr = EIO;
		mp->b_wptr = mp->b_rptr + sizeof (char);
		freemsg(mp->b_cont);
		mp->b_cont = NULL;
		qreply(WR(q), mp);
		return (NULL);
	}
	return (mp);
}

/*
 * ARCFOUR-HMAC-MD5 encrypt
 *
 * format of ciphertext when using ARCFOUR-HMAC-MD5
 *  +-----------+------------+------------+
 *  |  hmac     | confounder |  msg-data  |
 *  +-----------+------------+------------+
 *
 */
static mblk_t *
arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
			hash_info_t *hash)
{
	int result;
	size_t cipherlen;
	size_t inlen;
	size_t saltlen;
	crypto_key_t k1, k2;
	crypto_data_t indata;
	iovec_t v1;
	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
				0xab, 0xab, 0xab, 0xab };
	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
	crypto_mechanism_t mech;
	int usage;

	bzero(&indata, sizeof (indata));

	/* The usage constant is 1026 for all "old" rcmd mode operations */
	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
		usage = RCMDV1_USAGE;
	else
		usage = ARCFOUR_ENCRYPT_USAGE;

	mech.cm_type = tmi->enc_data.mech_type;
	mech.cm_param = NULL;
	mech.cm_param_len = 0;

	/*
	 * The size at this point should be the size of
	 * all the plaintext plus the optional plaintext length
	 * needed for RCMD V2 mode.  There should also be room
	 * at the head of the mblk for the confounder and hash info.
	 */
	inlen = (size_t)MBLKL(mp);

	cipherlen = encrypt_size(&tmi->enc_data, inlen);

	ASSERT(MBLKSIZE(mp) >= cipherlen);

	/*
	 * Shift the rptr back enough to insert
	 * the confounder and hash.
	 */
	mp->b_rptr -= (hash->confound_len + hash->hash_len);

	/* zero out the hash area */
	bzero(mp->b_rptr, (size_t)hash->hash_len);

	if (cipherlen > inlen) {
		bzero(mp->b_wptr, MBLKTAIL(mp));
	}

	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
		saltdata[9] = 0;
		saltdata[10] = usage & 0xff;
		saltdata[11] = (usage >> 8) & 0xff;
		saltdata[12] = (usage >> 16) & 0xff;
		saltdata[13] = (usage >> 24) & 0xff;
		saltlen = 14;
	} else {
		saltdata[0] = usage & 0xff;
		saltdata[1] = (usage >> 8) & 0xff;
		saltdata[2] = (usage >> 16) & 0xff;
		saltdata[3] = (usage >> 24) & 0xff;
		saltlen = 4;
	}
	/*
	 * Use the salt value to create a key to be used
	 * for subsequent HMAC operations.
	 */
	result = do_hmac(md5_hmac_mech,
			tmi->enc_data.ckey,
			(char *)saltdata, saltlen,
			(char *)k1data, sizeof (k1data));
	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN,
			"arcfour_hmac_md5_encrypt:  do_hmac(k1)"
			"failed - error %0x", result);
		goto cleanup;
	}

	bcopy(k1data, k2data, sizeof (k2data));

	/*
	 * For the neutered MS RC4 encryption type,
	 * set the trailing 9 bytes to 0xab per the
	 * RC4-HMAC spec.
	 */
	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
	}

	/*
	 * Get the confounder bytes.
	 */
	(void) random_get_pseudo_bytes(
			(uint8_t *)(mp->b_rptr + hash->hash_len),
			(size_t)hash->confound_len);

	k2.ck_data = k2data;
	k2.ck_format = CRYPTO_KEY_RAW;
	k2.ck_length = sizeof (k2data) * 8;

	/*
	 * This writes the HMAC to the hash area in the
	 * mblk.  The key used is the one just created by
	 * the previous HMAC operation.
	 * The data being processed is the confounder bytes
	 * PLUS the input plaintext.
	 */
	result = do_hmac(md5_hmac_mech, &k2,
			(char *)mp->b_rptr + hash->hash_len,
			hash->confound_len + inlen,
			(char *)mp->b_rptr, hash->hash_len);
	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN,
			"arcfour_hmac_md5_encrypt:  do_hmac(k2)"
			"failed - error %0x", result);
		goto cleanup;
	}
	/*
	 * Because of the odd way that MIT uses RC4 keys
	 * on the rlogin stream, we only need to create
	 * this key once.
	 * However, if using "old" rcmd mode, we need to do
	 * it every time.
	 */
	if (tmi->enc_data.ctx == NULL ||
	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
		crypto_key_t *key = &tmi->enc_data.d_encr_key;

		k1.ck_data = k1data;
		k1.ck_format = CRYPTO_KEY_RAW;
		k1.ck_length = sizeof (k1data) * 8;

		key->ck_format = CRYPTO_KEY_RAW;
		key->ck_length = k1.ck_length;
		if (key->ck_data == NULL)
			key->ck_data = kmem_zalloc(
				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);

		/*
		 * The final HMAC operation creates the encryption
		 * key to be used for the encrypt operation.
		 */
		result = do_hmac(md5_hmac_mech, &k1,
			(char *)mp->b_rptr, hash->hash_len,
			(char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES);

		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN,
				"arcfour_hmac_md5_encrypt:  do_hmac(k3)"
				"failed - error %0x", result);
			goto cleanup;
		}
	}

	/*
	 * If the context has not been initialized, do it now.
	 */
	if (tmi->enc_data.ctx == NULL &&
	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
		/*
		 * Only create a template if we are doing
		 * chaining from block to block.
		 */
		result = crypto_create_ctx_template(&mech,
				&tmi->enc_data.d_encr_key,
				&tmi->enc_data.enc_tmpl,
				KM_SLEEP);
		if (result == CRYPTO_NOT_SUPPORTED) {
			tmi->enc_data.enc_tmpl = NULL;
		} else if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "failed to create enc template "
				"for RC4 encrypt: %0x", result);
			goto cleanup;
		}

		result = crypto_encrypt_init(&mech,
					&tmi->enc_data.d_encr_key,
					tmi->enc_data.enc_tmpl,
					&tmi->enc_data.ctx, NULL);
		if (result != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "crypto_encrypt_init failed:"
				" %0x", result);
			goto cleanup;
		}
	}
	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
	v1.iov_len = hash->confound_len + inlen;

	indata.cd_format = CRYPTO_DATA_RAW;
	indata.cd_offset = 0;
	indata.cd_length = hash->confound_len + inlen;
	indata.cd_raw = v1;

	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
		result = crypto_encrypt_update(tmi->enc_data.ctx,
			&indata, NULL, NULL);
	else
		result = crypto_encrypt(&mech, &indata,
			&tmi->enc_data.d_encr_key, NULL,
			NULL, NULL);

	if (result != CRYPTO_SUCCESS) {
		cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x",
			result);
	}

cleanup:
	bzero(k1data, sizeof (k1data));
	bzero(k2data, sizeof (k2data));
	bzero(saltdata, sizeof (saltdata));
	if (result != CRYPTO_SUCCESS) {
		mp->b_datap->db_type = M_ERROR;
		mp->b_rptr = mp->b_datap->db_base;
		*mp->b_rptr = EIO;
		mp->b_wptr = mp->b_rptr + sizeof (char);
		freemsg(mp->b_cont);
		mp->b_cont = NULL;
		qreply(WR(q), mp);
		return (NULL);
	}
	return (mp);
}

/*
 * DES-CBC-[HASH] encrypt
 *
 * Needed to support userland apps that must support Kerberos V5
 * encryption DES-CBC encryption modes.
 *
 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
 *
 * format of ciphertext for DES-CBC functions, per RFC1510 is:
 *  +-----------+----------+-------------+-----+
 *  |confounder |  cksum   |   msg-data  | pad |
 *  +-----------+----------+-------------+-----+
 *
 * format of ciphertext when using DES3-SHA1-HMAC
 *  +-----------+----------+-------------+-----+
 *  |confounder |  msg-data  |   hmac    | pad |
 *  +-----------+----------+-------------+-----+
 *
 *  The confounder is 8 bytes of random data.
 *  The cksum depends on the hash being used.
 *   4 bytes for CRC32
 *  16 bytes for MD5
 *  20 bytes for SHA1
 *   0 bytes for RAW
 *
 */
static mblk_t *
des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
{
	int result;
	size_t cipherlen;
	size_t inlen;
	size_t plainlen;

	/*
	 * The size at this point should be the size of
	 * all the plaintext plus the optional plaintext length
	 * needed for RCMD V2 mode.  There should also be room
	 * at the head of the mblk for the confounder and hash info.
	 */
	inlen = (size_t)MBLKL(mp);

	/*
	 * The output size will be a multiple of 8 because this algorithm
	 * only works on 8 byte chunks.
	 */
	cipherlen = encrypt_size(&tmi->enc_data, inlen);

	ASSERT(MBLKSIZE(mp) >= cipherlen);

	if (cipherlen > inlen) {
		bzero(mp->b_wptr, MBLKTAIL(mp));
	}

	/*
	 * Shift the rptr back enough to insert
	 * the confounder and hash.
	 */
	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
		mp->b_rptr -= hash->confound_len;
	} else {
		mp->b_rptr -= (hash->confound_len + hash->hash_len);

		/* zero out the hash area */
		bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len);
	}

	/* get random confounder from our friend, the 'random' module */
	if (hash->confound_len > 0) {
		(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
				    (size_t)hash->confound_len);
	}

	/*
	 * For 3DES we calculate an HMAC later.
	 */
	if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) {
		/* calculate chksum of confounder + input */
		if (hash->hash_len > 0 && hash->hashfunc != NULL) {
			uchar_t cksum[MAX_CKSUM_LEN];

			result = hash->hashfunc(cksum, mp->b_rptr,
				cipherlen);
			if (result != CRYPTO_SUCCESS) {
				goto failure;
			}

			/* put hash in place right after the confounder */
			bcopy(cksum, (mp->b_rptr + hash->confound_len),
			    (size_t)hash->hash_len);
		}
	}
	/*
	 * In order to support the "old" Kerberos RCMD protocol,
	 * we must use the IVEC 3 different ways:
	 *   IVEC_REUSE = keep using the same IV each time, this is
	 *		ugly and insecure, but necessary for
	 *		backwards compatibility with existing MIT code.
	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
	 *		was setup (see setup_crypto routine).
	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
	 */
	if (tmi->enc_data.ivec_usage == IVEC_NEVER) {
		bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
	} else if (tmi->enc_data.ivec_usage == IVEC_REUSE) {
		bcopy(tmi->enc_data.ivec, tmi->enc_data.block,
		    tmi->enc_data.blocklen);
	}

	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
		/*
		 * The input length already included the hash size,
		 * don't include this in the plaintext length
		 * calculations.
		 */
		plainlen = cipherlen - hash->hash_len;

		mp->b_wptr = mp->b_rptr + plainlen;

		result = kef_encr_hmac(&tmi->enc_data,
			(void *)mp, (size_t)plainlen,
			(char *)(mp->b_rptr + plainlen),
			hash->hash_len);
	} else {
		ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp));
		mp->b_wptr = mp->b_rptr + cipherlen;
		result = kef_crypt(&tmi->enc_data, (void *)mp,
			CRYPTO_DATA_MBLK, (size_t)cipherlen,
			CRYPT_ENCRYPT);
	}
failure:
	if (result != CRYPTO_SUCCESS) {
#ifdef DEBUG
		cmn_err(CE_WARN,
			"des_cbc_encrypt: kef_crypt encrypt "
			"failed (len: %ld) - error %0x",
			cipherlen, result);
#endif
		mp->b_datap->db_type = M_ERROR;
		mp->b_rptr = mp->b_datap->db_base;
		*mp->b_rptr = EIO;
		mp->b_wptr = mp->b_rptr + sizeof (char);
		freemsg(mp->b_cont);
		mp->b_cont = NULL;
		qreply(WR(q), mp);
		return (NULL);
	} else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) {
		/*
		 * Because we are using KEF, we must manually
		 * update our IV.
		 */
		bcopy(mp->b_wptr - tmi->enc_data.ivlen,
			tmi->enc_data.block, tmi->enc_data.ivlen);
	}
	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
		mp->b_wptr = mp->b_rptr + cipherlen;
	}

	return (mp);
}

/*
 * des_cbc_decrypt
 *
 *
 * Needed to support userland apps that must support Kerberos V5
 * encryption DES-CBC decryption modes.
 *
 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
 *
 * format of ciphertext for DES-CBC functions, per RFC1510 is:
 *  +-----------+----------+-------------+-----+
 *  |confounder |  cksum   |   msg-data  | pad |
 *  +-----------+----------+-------------+-----+
 *
 * format of ciphertext when using DES3-SHA1-HMAC
 *  +-----------+----------+-------------+-----+
 *  |confounder |  msg-data  |   hmac    | pad |
 *  +-----------+----------+-------------+-----+
 *
 *  The confounder is 8 bytes of random data.
 *  The cksum depends on the hash being used.
 *   4 bytes for CRC32
 *  16 bytes for MD5
 *  20 bytes for SHA1
 *   0 bytes for RAW
 *
 */
static mblk_t *
des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
{
	uint_t inlen, datalen;
	int result = 0;
	uchar_t *optr = NULL;
	uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN];
	uchar_t nextiv[DEFAULT_DES_BLOCKLEN];

	/* Compute adjusted size */
	inlen = MBLKL(mp);

	optr = mp->b_rptr;

	/*
	 * In order to support the "old" Kerberos RCMD protocol,
	 * we must use the IVEC 3 different ways:
	 *   IVEC_REUSE = keep using the same IV each time, this is
	 *		ugly and insecure, but necessary for
	 *		backwards compatibility with existing MIT code.
	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
	 *		was setup (see setup_crypto routine).
	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
	 */
	if (tmi->dec_data.ivec_usage == IVEC_NEVER)
		bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
	else if (tmi->dec_data.ivec_usage == IVEC_REUSE)
		bcopy(tmi->dec_data.ivec, tmi->dec_data.block,
		    tmi->dec_data.blocklen);

	if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
		/*
		 * Do not decrypt the HMAC at the end
		 */
		int decrypt_len = inlen - hash->hash_len;

		/*
		 * Move the wptr so the mblk appears to end
		 * BEFORE the HMAC section.
		 */
		mp->b_wptr = mp->b_rptr + decrypt_len;

		/*
		 * Because we are using KEF, we must manually update our
		 * IV.
		 */
		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
			bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen,
				nextiv, tmi->dec_data.ivlen);
		}

		result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len,
			(char *)newcksum, hash->hash_len);
	} else {
		/*
		 * Because we are using KEF, we must manually update our
		 * IV.
		 */
		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
			bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv,
				tmi->dec_data.ivlen);
		}
		result = kef_crypt(&tmi->dec_data, (void *)mp,
			CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT);
	}
	if (result != CRYPTO_SUCCESS) {
#ifdef DEBUG
		cmn_err(CE_WARN,
			"des_cbc_decrypt: kef_crypt decrypt "
			"failed - error %0x", result);
#endif
		mp->b_datap->db_type = M_ERROR;
		mp->b_rptr = mp->b_datap->db_base;
		*mp->b_rptr = EIO;
		mp->b_wptr = mp->b_rptr + sizeof (char);
		freemsg(mp->b_cont);
		mp->b_cont = NULL;
		qreply(WR(q), mp);
		return (NULL);
	}

	/*
	 * Manually update the IV, KEF does not track this for us.
	 */
	if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
		bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen);
	}

	/* Verify the checksum(if necessary) */
	if (hash->hash_len > 0) {
		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
			bcopy(mp->b_rptr + inlen - hash->hash_len, cksum,
				hash->hash_len);
		} else {
			bcopy(optr + hash->confound_len, cksum, hash->hash_len);

			/* zero the cksum in the buffer */
			ASSERT(optr + hash->confound_len + hash->hash_len <=
				DB_LIM(mp));
			bzero(optr + hash->confound_len, hash->hash_len);

			/* calculate MD5 chksum of confounder + input */
			if (hash->hashfunc) {
				(void) hash->hashfunc(newcksum, optr, inlen);
			}
		}

		if (bcmp(cksum, newcksum, hash->hash_len)) {
#ifdef DEBUG
			cmn_err(CE_WARN, "des_cbc_decrypt: checksum "
				"verification failed");
#endif
			mp->b_datap->db_type = M_ERROR;
			mp->b_rptr = mp->b_datap->db_base;
			*mp->b_rptr = EIO;
			mp->b_wptr = mp->b_rptr + sizeof (char);
			freemsg(mp->b_cont);
			mp->b_cont = NULL;
			qreply(WR(q), mp);
			return (NULL);
		}
	}

	datalen = inlen - hash->confound_len - hash->hash_len;

	/* Move just the decrypted input into place if necessary */
	if (hash->confound_len > 0 || hash->hash_len > 0) {
		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1)
			mp->b_rptr += hash->confound_len;
		else
			mp->b_rptr += hash->confound_len + hash->hash_len;
	}

	ASSERT(mp->b_rptr + datalen <= DB_LIM(mp));
	mp->b_wptr = mp->b_rptr + datalen;

	return (mp);
}

static mblk_t *
do_decrypt(queue_t *q, mblk_t *mp)
{
	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
	mblk_t *outmp;

	switch (tmi->dec_data.method) {
	case CRYPT_METHOD_DES_CFB:
		outmp = des_cfb_decrypt(q, tmi, mp);
		break;
	case CRYPT_METHOD_NONE:
		outmp = mp;
		break;
	case CRYPT_METHOD_DES_CBC_NULL:
		outmp = des_cbc_decrypt(q, tmi, mp, &null_hash);
		break;
	case CRYPT_METHOD_DES_CBC_MD5:
		outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash);
		break;
	case CRYPT_METHOD_DES_CBC_CRC:
		outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash);
		break;
	case CRYPT_METHOD_DES3_CBC_SHA1:
		outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash);
		break;
	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
		outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash);
		break;
	case CRYPT_METHOD_AES128:
	case CRYPT_METHOD_AES256:
		outmp = aes_decrypt(q, tmi, mp, &sha1_hash);
		break;
	}
	return (outmp);
}

/*
 * do_encrypt
 *
 * Generic encryption routine for a single message block.
 * The input mblk may be replaced by some encrypt routines
 * because they add extra data in some cases that may exceed
 * the input mblk_t size limit.
 */
static mblk_t *
do_encrypt(queue_t *q, mblk_t *mp)
{
	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
	mblk_t *outmp;

	switch (tmi->enc_data.method) {
	case CRYPT_METHOD_DES_CFB:
		outmp = des_cfb_encrypt(q, tmi, mp);
		break;
	case CRYPT_METHOD_DES_CBC_NULL:
		outmp = des_cbc_encrypt(q, tmi, mp, &null_hash);
		break;
	case CRYPT_METHOD_DES_CBC_MD5:
		outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash);
		break;
	case CRYPT_METHOD_DES_CBC_CRC:
		outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash);
		break;
	case CRYPT_METHOD_DES3_CBC_SHA1:
		outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash);
		break;
	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
		outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash);
		break;
	case CRYPT_METHOD_AES128:
	case CRYPT_METHOD_AES256:
		outmp = aes_encrypt(q, tmi, mp, &sha1_hash);
		break;
	case CRYPT_METHOD_NONE:
		outmp = mp;
		break;
	}
	return (outmp);
}

/*
 * setup_crypto
 *
 * This takes the data from the CRYPTIOCSETUP ioctl
 * and sets up a cipher_data_t structure for either
 * encryption or decryption.  This is where the
 * key and initialization vector data get stored
 * prior to beginning any crypto functions.
 *
 * Special note:
 *   Some applications(e.g. telnetd) have ability to switch
 * crypto on/off periodically.  Thus, the application may call
 * the CRYPTIOCSETUP ioctl many times for the same stream.
 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
 * assume that the key, block, and saveblock fields that are already
 * set from a previous CRIOCSETUP call are still valid.  This helps avoid
 * a rekeying error that could occur if we overwrite these fields
 * with each CRYPTIOCSETUP call.
 *   In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
 * without resetting the original crypto parameters.
 *
 */
static int
setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt)
{
	uint_t newblocklen;
	uint32_t enc_usage = 0, dec_usage = 0;
	int rv;

	/*
	 * Initial sanity checks
	 */
	if (!CR_METHOD_OK(ci->crypto_method)) {
		cmn_err(CE_WARN, "Illegal crypto method (%d)",
			ci->crypto_method);
		return (EINVAL);
	}
	if (!CR_OPTIONS_OK(ci->option_mask)) {
		cmn_err(CE_WARN, "Illegal crypto options (%d)",
			ci->option_mask);
		return (EINVAL);
	}
	if (!CR_IVUSAGE_OK(ci->ivec_usage)) {
		cmn_err(CE_WARN, "Illegal ivec usage value (%d)",
			ci->ivec_usage);
		return (EINVAL);
	}

	cd->method = ci->crypto_method;
	cd->bytes = 0;

	if (ci->keylen > 0) {
		if (cd->key != NULL) {
			kmem_free(cd->key, cd->keylen);
			cd->key = NULL;
			cd->keylen = 0;
		}
		/*
		 * cd->key holds the copy of the raw key bytes passed in
		 * from the userland app.
		 */
		cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP);

		cd->keylen = ci->keylen;
		bcopy(ci->key, cd->key, (size_t)ci->keylen);
	}

	/*
	 * Configure the block size based on the type of cipher.
	 */
	switch (cd->method) {
		case CRYPT_METHOD_NONE:
			newblocklen = 0;
			break;
		case CRYPT_METHOD_DES_CFB:
			newblocklen = DEFAULT_DES_BLOCKLEN;
			cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB);
			break;
		case CRYPT_METHOD_DES_CBC_NULL:
		case CRYPT_METHOD_DES_CBC_MD5:
		case CRYPT_METHOD_DES_CBC_CRC:
			newblocklen = DEFAULT_DES_BLOCKLEN;
			cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC);
			break;
		case CRYPT_METHOD_DES3_CBC_SHA1:
			newblocklen = DEFAULT_DES_BLOCKLEN;
			cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC);
			/* 3DES always uses the old usage constant */
			enc_usage = RCMDV1_USAGE;
			dec_usage = RCMDV1_USAGE;
			break;
		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
			newblocklen = 0;
			cd->mech_type = crypto_mech2id(SUN_CKM_RC4);
			break;
		case CRYPT_METHOD_AES128:
		case CRYPT_METHOD_AES256:
			newblocklen = DEFAULT_AES_BLOCKLEN;
			cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB);
			enc_usage = AES_ENCRYPT_USAGE;
			dec_usage = AES_DECRYPT_USAGE;
			break;
	}
	if (cd->mech_type == CRYPTO_MECH_INVALID) {
		return (CRYPTO_FAILED);
	}

	/*
	 * If RC4, initialize the master crypto key used by
	 * the RC4 algorithm to derive the final encrypt and decrypt keys.
	 */
	if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) {
		/*
		 * cd->ckey is a kernel crypto key structure used as the
		 * master key in the RC4-HMAC crypto operations.
		 */
		if (cd->ckey == NULL) {
			cd->ckey = (crypto_key_t *)kmem_zalloc(
				sizeof (crypto_key_t), KM_SLEEP);
		}

		cd->ckey->ck_format = CRYPTO_KEY_RAW;
		cd->ckey->ck_data = cd->key;

		/* key length for EF is measured in bits */
		cd->ckey->ck_length = cd->keylen * 8;
	}

	/*
	 * cd->block and cd->saveblock are used as temporary storage for
	 * data that must be carried over between encrypt/decrypt operations
	 * in some of the "feedback" modes.
	 */
	if (newblocklen != cd->blocklen) {
		if (cd->block != NULL) {
			kmem_free(cd->block, cd->blocklen);
			cd->block = NULL;
		}

		if (cd->saveblock != NULL) {
			kmem_free(cd->saveblock, cd->blocklen);
			cd->saveblock = NULL;
		}

		cd->blocklen = newblocklen;
		if (cd->blocklen) {
			cd->block = (char *)kmem_zalloc((size_t)cd->blocklen,
				KM_SLEEP);
		}

		if (cd->method == CRYPT_METHOD_DES_CFB)
			cd->saveblock = (char *)kmem_zalloc(cd->blocklen,
						KM_SLEEP);
		else
			cd->saveblock = NULL;
	}

	if (ci->iveclen != cd->ivlen) {
		if (cd->ivec != NULL) {
			kmem_free(cd->ivec, cd->ivlen);
			cd->ivec = NULL;
		}
		if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) {
			cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen,
						KM_SLEEP);
			cd->ivlen = ci->iveclen;
		} else {
			cd->ivlen = 0;
			cd->ivec = NULL;
		}
	}
	cd->option_mask = ci->option_mask;

	/*
	 * Old protocol requires a static 'usage' value for
	 * deriving keys.  Yuk.
	 */
	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) {
		enc_usage = dec_usage = RCMDV1_USAGE;
	}

	if (cd->ivlen > cd->blocklen) {
		cmn_err(CE_WARN, "setup_crypto: IV longer than block size");
		return (EINVAL);
	}

	/*
	 * If we are using an IVEC "correctly" (i.e. set it once)
	 * copy it here.
	 */
	if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL)
		bcopy(ci->ivec, cd->block, (size_t)cd->ivlen);

	cd->ivec_usage = ci->ivec_usage;
	if (cd->ivec != NULL) {
		/* Save the original IVEC in case we need it later */
		bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen);
	}
	/*
	 * Special handling for 3DES-SHA1-HMAC and AES crypto:
	 * generate derived keys and context templates
	 * for better performance.
	 */
	if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 ||
	    IS_AES_METHOD(cd->method)) {
		crypto_mechanism_t enc_mech;
		crypto_mechanism_t hmac_mech;

		if (cd->d_encr_key.ck_data != NULL) {
			bzero(cd->d_encr_key.ck_data, cd->keylen);
			kmem_free(cd->d_encr_key.ck_data, cd->keylen);
		}

		if (cd->d_hmac_key.ck_data != NULL) {
			bzero(cd->d_hmac_key.ck_data, cd->keylen);
			kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
		}

		if (cd->enc_tmpl != NULL)
			(void) crypto_destroy_ctx_template(cd->enc_tmpl);

		if (cd->hmac_tmpl != NULL)
			(void) crypto_destroy_ctx_template(cd->hmac_tmpl);

		enc_mech.cm_type = cd->mech_type;
		enc_mech.cm_param = cd->ivec;
		enc_mech.cm_param_len = cd->ivlen;

		hmac_mech.cm_type = sha1_hmac_mech;
		hmac_mech.cm_param = NULL;
		hmac_mech.cm_param_len = 0;

		/*
		 * Create the derived keys.
		 */
		rv = create_derived_keys(cd,
			(encrypt ? enc_usage : dec_usage),
			&cd->d_encr_key, &cd->d_hmac_key);

		if (rv != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "failed to create derived "
				"keys: %0x", rv);
			return (CRYPTO_FAILED);
		}

		rv = crypto_create_ctx_template(&enc_mech,
					&cd->d_encr_key,
					&cd->enc_tmpl, KM_SLEEP);
		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
			cd->enc_tmpl = NULL;
		} else if (rv != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "failed to create enc template "
				"for d_encr_key: %0x", rv);
			return (CRYPTO_FAILED);
		}

		rv = crypto_create_ctx_template(&hmac_mech,
				&cd->d_hmac_key,
				&cd->hmac_tmpl, KM_SLEEP);
		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
			cd->hmac_tmpl = NULL;
		} else if (rv != CRYPTO_SUCCESS) {
			cmn_err(CE_WARN, "failed to create hmac template:"
				" %0x", rv);
			return (CRYPTO_FAILED);
		}
	} else if (IS_RC4_METHOD(cd->method)) {
		bzero(&cd->d_encr_key, sizeof (crypto_key_t));
		bzero(&cd->d_hmac_key, sizeof (crypto_key_t));
		cd->ctx = NULL;
		cd->enc_tmpl = NULL;
		cd->hmac_tmpl = NULL;
	}

	/* Final sanity checks, make sure no fields are NULL */
	if (cd->method != CRYPT_METHOD_NONE) {
		if (cd->block == NULL && cd->blocklen > 0) {
#ifdef DEBUG
			cmn_err(CE_WARN,
				"setup_crypto: IV block not allocated");
#endif
			return (ENOMEM);
		}
		if (cd->key == NULL && cd->keylen > 0) {
#ifdef DEBUG
			cmn_err(CE_WARN,
				"setup_crypto: key block not allocated");
#endif
			return (ENOMEM);
		}
		if (cd->method == CRYPT_METHOD_DES_CFB &&
		    cd->saveblock == NULL && cd->blocklen > 0) {
#ifdef DEBUG
			cmn_err(CE_WARN,
				"setup_crypto: save block not allocated");
#endif
			return (ENOMEM);
		}
		if (cd->ivec == NULL && cd->ivlen > 0) {
#ifdef DEBUG
			cmn_err(CE_WARN,
				"setup_crypto: IV not allocated");
#endif
			return (ENOMEM);
		}
	}
	return (0);
}

/*
 * RCMDS require a 4 byte, clear text
 * length field before each message.
 * Add it now.
 */
static mblk_t *
mklenmp(mblk_t *bp, uint32_t len)
{
	mblk_t *lenmp;
	uchar_t *ucp;

	if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) {
		lenmp = allocb(4, BPRI_MED);
		if (lenmp != NULL) {
			lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp);
			linkb(lenmp, bp);
			bp = lenmp;
		}
	}
	ucp = bp->b_rptr;
	*--ucp = len;
	*--ucp = len >> 8;
	*--ucp = len >> 16;
	*--ucp = len >> 24;

	bp->b_rptr = ucp;

	return (bp);
}

static mblk_t *
encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen)
{
	mblk_t *newmp;
	size_t headspace;

	mblk_t *cbp;
	size_t cipherlen;
	size_t extra = 0;
	uint32_t ptlen = (uint32_t)plainlen;
	/*
	 * If we are using the "NEW" RCMD mode,
	 * add 4 bytes to the plaintext for the
	 * plaintext length that gets prepended
	 * before encrypting.
	 */
	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
		ptlen += 4;

	cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen);

	/*
	 * if we must allocb, then make sure its enough
	 * to hold the length field so we dont have to allocb
	 * again down below in 'mklenmp'
	 */
	if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) {
		extra = sizeof (uint32_t);
	}

	/*
	 * Calculate how much space is needed in front of
	 * the data.
	 */
	headspace = plaintext_offset(&tmi->enc_data);

	/*
	 * If the current block is too small, reallocate
	 * one large enough to hold the hdr, tail, and
	 * ciphertext.
	 */
	if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) {
		int sz = P2ROUNDUP(cipherlen+extra, 8);

		cbp = allocb_tmpl(sz, mp);
		if (cbp == NULL) {
			cmn_err(CE_WARN,
				"allocb (%d bytes) failed", sz);
			return (NULL);
		}

		cbp->b_cont = mp->b_cont;

		/*
		 * headspace includes the length fields needed
		 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
		 */
		ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen+headspace, 8)
			<= DB_LIM(cbp));

		cbp->b_rptr = DB_BASE(cbp) + headspace;
		bcopy(mp->b_rptr, cbp->b_rptr, plainlen);
		cbp->b_wptr = cbp->b_rptr + plainlen;

		freeb(mp);
	} else {
		size_t extra = 0;
		cbp = mp;

		/*
		 * Some ciphers add HMAC after the final block
		 * of the ciphertext, not at the beginning like the
		 * 1-DES ciphers.
		 */
		if (tmi->enc_data.method ==
			CRYPT_METHOD_DES3_CBC_SHA1 ||
		    IS_AES_METHOD(tmi->enc_data.method)) {
			extra = sha1_hash.hash_len;
		}

		/*
		 * Make sure the rptr is positioned correctly so that
		 * routines later do not have to shift this data around
		 */
		if ((cbp->b_rptr + P2ROUNDUP(cipherlen + extra, 8) >
			DB_LIM(cbp)) ||
			(cbp->b_rptr - headspace < DB_BASE(cbp))) {
			ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace,
				plainlen);
			cbp->b_rptr = DB_BASE(cbp) + headspace;
			cbp->b_wptr = cbp->b_rptr + plainlen;
		}
	}

	ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp));
	ASSERT(cbp->b_wptr <= DB_LIM(cbp));

	/*
	 * If using RCMD_MODE_V2 (new rcmd mode), prepend
	 * the plaintext length before the actual plaintext.
	 */
	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) {
		cbp->b_rptr -= RCMD_LEN_SZ;

		/* put plaintext length at head of buffer */
		*(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff);
		*(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff);
		*(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff);
		*(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff);
	}

	newmp = do_encrypt(q, cbp);

	if (newmp != NULL &&
	    (tmi->enc_data.option_mask &
	    (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) {
		mblk_t *lp;
		/*
		 * Add length field, required when this is
		 * used to encrypt "r*" commands(rlogin, rsh)
		 * with Kerberos.
		 */
		lp = mklenmp(newmp, plainlen);

		if (lp == NULL) {
			freeb(newmp);
			return (NULL);
		} else {
			newmp = lp;
		}
	}
	return (newmp);
}

/*
 * encrypt_msgb
 *
 * encrypt a single message. This routine adds the
 * RCMD overhead bytes when necessary.
 */
static mblk_t *
encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
{
	size_t plainlen, outlen;
	mblk_t *newmp = NULL;

	/* If not encrypting, do nothing */
	if (tmi->enc_data.method == CRYPT_METHOD_NONE) {
		return (mp);
	}

	plainlen = MBLKL(mp);
	if (plainlen == 0)
		return (NULL);

	/*
	 * If the block is too big, we encrypt in 4K chunks so that
	 * older rlogin clients do not choke on the larger buffers.
	 */
	while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) {
		mblk_t *mp1 = NULL;
		outlen = MSGBUF_SIZE;
		/*
		 * Allocate a new buffer that is only 4K bytes, the
		 * extra bytes are for crypto overhead.
		 */
		mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED);
		if (mp1 == NULL) {
			cmn_err(CE_WARN,
				"allocb (%d bytes) failed",
				(int)(outlen + CONFOUNDER_BYTES));
			return (NULL);
		}
		/* Copy the next 4K bytes from the old block. */
		bcopy(mp->b_rptr, mp1->b_rptr, outlen);
		mp1->b_wptr = mp1->b_rptr + outlen;
		/* Advance the old block. */
		mp->b_rptr += outlen;

		/* encrypt the new block */
		newmp = encrypt_block(q, tmi, mp1, outlen);
		if (newmp == NULL)
			return (NULL);

		putnext(q, newmp);
	}
	newmp = NULL;
	/* If there is data left (< MSGBUF_SIZE), encrypt it. */
	if ((plainlen = MBLKL(mp)) > 0)
		newmp = encrypt_block(q, tmi, mp, plainlen);

	return (newmp);
}

/*
 * cryptmodwsrv
 *
 * Service routine for the write queue.
 *
 * Because data may be placed in the queue to hold between
 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
 */
static int
cryptmodwsrv(queue_t *q)
{
	mblk_t *mp;
	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;

	while ((mp = getq(q)) != NULL) {
		switch (mp->b_datap->db_type) {
		default:
			/*
			 * wput does not queue anything > QPCTL
			 */
			if (!canputnext(q) ||
			    !(tmi->ready & CRYPT_WRITE_READY)) {
				if (!putbq(q, mp)) {
					freemsg(mp);
				}
				return (0);
			}
			putnext(q, mp);
			break;
		case M_DATA:
			if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) {
				mblk_t *bp;
				mblk_t *newmsg = NULL;

				/*
				 * If multiple msgs, concat into 1
				 * to minimize crypto operations later.
				 */
				if (mp->b_cont != NULL) {
					bp = msgpullup(mp, -1);
					if (bp != NULL) {
						freemsg(mp);
						mp = bp;
					}
				}
				newmsg = encrypt_msgb(q, tmi, mp);
				if (newmsg != NULL)
					putnext(q, newmsg);
			} else {
				if (!putbq(q, mp)) {
					freemsg(mp);
				}
				return (0);
			}
			break;
		}
	}
	return (0);
}

static void
start_stream(queue_t *wq, mblk_t *mp, uchar_t dir)
{
	mblk_t *newmp = NULL;
	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;

	if (dir == CRYPT_ENCRYPT) {
		tmi->ready |= CRYPT_WRITE_READY;
		(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
				"start_stream: restart ENCRYPT/WRITE q"));

		enableok(wq);
		qenable(wq);
	} else if (dir == CRYPT_DECRYPT) {
		/*
		 * put any extra data in the RD
		 * queue to be processed and
		 * sent back up.
		 */
		newmp = mp->b_cont;
		mp->b_cont = NULL;

		tmi->ready |= CRYPT_READ_READY;
		(void) (STRLOG(CRYPTMOD_ID, 0, 5,
				SL_TRACE|SL_NOTE,
				"start_stream: restart "
				"DECRYPT/READ q"));

		if (newmp != NULL)
			if (!putbq(RD(wq), newmp))
				freemsg(newmp);

		enableok(RD(wq));
		qenable(RD(wq));
	}

	miocack(wq, mp, 0, 0);
}

/*
 * Write-side put procedure.  Its main task is to detect ioctls and
 * FLUSH operations.  Other message types are passed on through.
 */
static int
cryptmodwput(queue_t *wq, mblk_t *mp)
{
	struct iocblk *iocp;
	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
	int ret, err;

	switch (mp->b_datap->db_type) {
	case M_DATA:
		if (wq->q_first == NULL && canputnext(wq) &&
		    (tmi->ready & CRYPT_WRITE_READY) &&
		    tmi->enc_data.method == CRYPT_METHOD_NONE) {
			putnext(wq, mp);
			return (0);
		}
		/* else, put it in the service queue */
		if (!putq(wq, mp)) {
			freemsg(mp);
		}
		break;
	case M_FLUSH:
		if (*mp->b_rptr & FLUSHW) {
			flushq(wq, FLUSHDATA);
		}
		putnext(wq, mp);
		break;
	case M_IOCTL:
		iocp = (struct iocblk *)mp->b_rptr;
		switch (iocp->ioc_cmd) {
		case CRYPTIOCSETUP:
			ret = 0;
			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
					SL_TRACE | SL_NOTE,
					"wput: got CRYPTIOCSETUP "
					"ioctl(%d)", iocp->ioc_cmd));

			if ((err = miocpullup(mp,
					sizeof (struct cr_info_t))) != 0) {
				cmn_err(CE_WARN,
				"wput: miocpullup failed for cr_info_t");
				miocnak(wq, mp, 0, err);
			} else {
				struct cr_info_t *ci;
				ci = (struct cr_info_t *)mp->b_cont->b_rptr;

				if (ci->direction_mask & CRYPT_ENCRYPT) {
				    ret = setup_crypto(ci, &tmi->enc_data, 1);
				}

				if (ret == 0 &&
				    (ci->direction_mask & CRYPT_DECRYPT)) {
				    ret = setup_crypto(ci, &tmi->dec_data, 0);
				}
				if (ret == 0 &&
				    (ci->direction_mask & CRYPT_DECRYPT) &&
				    ANY_RCMD_MODE(tmi->dec_data.option_mask)) {
					bzero(&tmi->rcmd_state,
					    sizeof (tmi->rcmd_state));
				}
				if (ret == 0) {
					miocack(wq, mp, 0, 0);
				} else {
					cmn_err(CE_WARN,
						"wput: setup_crypto failed");
					miocnak(wq, mp, 0, ret);
				}
				(void) (STRLOG(CRYPTMOD_ID, 0, 5,
						SL_TRACE|SL_NOTE,
						"wput: done with SETUP "
						"ioctl"));
			}
			break;
		case CRYPTIOCSTOP:
			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
					SL_TRACE|SL_NOTE,
					"wput: got CRYPTIOCSTOP "
					"ioctl(%d)", iocp->ioc_cmd));

			if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) {
				cmn_err(CE_WARN,
					"wput: CRYPTIOCSTOP ioctl wrong "
					"size (%d should be %d)",
					(int)iocp->ioc_count,
					(int)sizeof (uint32_t));
				miocnak(wq, mp, 0, err);
			} else {
				uint32_t *stopdir;

				stopdir = (uint32_t *)mp->b_cont->b_rptr;
				if (!CR_DIRECTION_OK(*stopdir)) {
					miocnak(wq, mp, 0, EINVAL);
					return (0);
				}

				/* disable the queues until further notice */
				if (*stopdir & CRYPT_ENCRYPT) {
					noenable(wq);
					tmi->ready &= ~CRYPT_WRITE_READY;
				}
				if (*stopdir & CRYPT_DECRYPT) {
					noenable(RD(wq));
					tmi->ready &= ~CRYPT_READ_READY;
				}

				miocack(wq, mp, 0, 0);
			}
			break;
		case CRYPTIOCSTARTDEC:
			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
					SL_TRACE|SL_NOTE,
					"wput: got CRYPTIOCSTARTDEC "
					"ioctl(%d)", iocp->ioc_cmd));

			start_stream(wq, mp, CRYPT_DECRYPT);
			break;
		case CRYPTIOCSTARTENC:
			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
					SL_TRACE|SL_NOTE,
					"wput: got CRYPTIOCSTARTENC "
					"ioctl(%d)", iocp->ioc_cmd));

			start_stream(wq, mp, CRYPT_ENCRYPT);
			break;
		default:
			putnext(wq, mp);
			break;
		}
		break;
	default:
		if (queclass(mp) < QPCTL) {
			if (wq->q_first != NULL || !canputnext(wq)) {
				if (!putq(wq, mp))
					freemsg(mp);
				return (0);
			}
		}
		putnext(wq, mp);
		break;
	}
	return (0);
}

/*
 * decrypt_rcmd_mblks
 *
 * Because kerberized r* commands(rsh, rlogin, etc)
 * use a 4 byte length field to indicate the # of
 * PLAINTEXT bytes that are encrypted in the field
 * that follows, we must parse out each message and
 * break out the length fields prior to sending them
 * upstream to our Solaris r* clients/servers which do
 * NOT understand this format.
 *
 * Kerberized/encrypted message format:
 * -------------------------------
 * | XXXX | N bytes of ciphertext|
 * -------------------------------
 *
 * Where: XXXX = number of plaintext bytes that were encrypted in
 *               to make the ciphertext field.  This is done
 *               because we are using a cipher that pads out to
 *               an 8 byte boundary.  We only want the application
 *               layer to see the correct number of plain text bytes,
 *               not plaintext + pad.  So, after we decrypt, we
 *               must trim the output block down to the intended
 *               plaintext length and eliminate the pad bytes.
 *
 * This routine takes the entire input message, breaks it into
 * a new message that does not contain these length fields and
 * returns a message consisting of mblks filled with just ciphertext.
 *
 */
static mblk_t *
decrypt_rcmd_mblks(queue_t *q, mblk_t *mp)
{
	mblk_t *newmp = NULL;
	size_t msglen;
	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;

	msglen = msgsize(mp);

	/*
	 * If we need the length field, get it here.
	 * Test the "plaintext length" indicator.
	 */
	if (tmi->rcmd_state.pt_len == 0) {
		uint32_t elen;
		int tocopy;
		mblk_t *nextp;

		/*
		 * Make sure we have recieved all 4 bytes of the
		 * length field.
		 */
		while (mp != NULL) {
			ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t));

			tocopy = sizeof (uint32_t) -
				tmi->rcmd_state.cd_len;
			if (tocopy > msglen)
				tocopy = msglen;

			ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp));
			bcopy(mp->b_rptr,
				(char *)(&tmi->rcmd_state.next_len +
					tmi->rcmd_state.cd_len), tocopy);

			tmi->rcmd_state.cd_len += tocopy;

			if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) {
				tmi->rcmd_state.next_len =
					ntohl(tmi->rcmd_state.next_len);
				break;
			}

			nextp = mp->b_cont;
			mp->b_cont = NULL;
			freeb(mp);
			mp = nextp;
		}

		if (mp == NULL) {
			return (NULL);
		}
		/*
		 * recalculate the msglen now that we've read the
		 * length and adjusted the bufptr (b_rptr).
		 */
		msglen -= tocopy;
		mp->b_rptr += tocopy;

		tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len;

		if (tmi->rcmd_state.pt_len <= 0) {
			/*
			 * Return an IO error to break the connection. there
			 * is no way to recover from this.  Usually it means
			 * the app has incorrectly requested decryption on
			 * a non-encrypted stream, thus the "pt_len" field
			 * is negative.
			 */
			mp->b_datap->db_type = M_ERROR;
			mp->b_rptr = mp->b_datap->db_base;
			*mp->b_rptr = EIO;
			mp->b_wptr = mp->b_rptr + sizeof (char);

			freemsg(mp->b_cont);
			mp->b_cont = NULL;
			qreply(WR(q), mp);
			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
			return (NULL);
		}

		/*
		 * If this is V2 mode, then the encrypted data is actually
		 * 4 bytes bigger than the indicated len because the plaintext
		 * length is encrypted for an additional security check, but
		 * its not counted as part of the overall length we just read.
		 * Strange and confusing, but true.
		 */

		if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
			elen = tmi->rcmd_state.pt_len + 4;
		else
			elen = tmi->rcmd_state.pt_len;

		tmi->rcmd_state.cd_len  = encrypt_size(&tmi->dec_data, elen);

		/*
		 * Allocate an mblk to hold the cipher text until it is
		 * all ready to be processed.
		 */
		tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len,
						BPRI_HI);
		if (tmi->rcmd_state.c_msg == NULL) {
#ifdef DEBUG
			cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed "
				"for %d bytes",
				(int)tmi->rcmd_state.cd_len);
#endif
			/*
			 * Return an IO error to break the connection.
			 */
			mp->b_datap->db_type = M_ERROR;
			mp->b_rptr = mp->b_datap->db_base;
			*mp->b_rptr = EIO;
			mp->b_wptr = mp->b_rptr + sizeof (char);
			freemsg(mp->b_cont);
			mp->b_cont = NULL;
			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
			qreply(WR(q), mp);
			return (NULL);
		}
	}

	/*
	 * If this entire message was just the length field,
	 * free and return.  The actual data will probably be next.
	 */
	if (msglen == 0) {
		freemsg(mp);
		return (NULL);
	}

	/*
	 * Copy as much of the cipher text as possible into
	 * the new msgb (c_msg).
	 *
	 * Logic:  if we got some bytes (msglen) and we still
	 * 	"need" some bytes (len-rcvd), get them here.
	 */
	ASSERT(tmi->rcmd_state.c_msg != NULL);
	if (msglen > 0 &&
	    (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) {
		mblk_t *bp, *nextp;
		size_t n;

		/*
		 * Walk the mblks and copy just as many bytes as we need
		 * for this particular block of cipher text.
		 */
		bp = mp;
		while (bp != NULL) {
			size_t needed;
			size_t tocopy;
			n = MBLKL(bp);

			needed = tmi->rcmd_state.cd_len -
				MBLKL(tmi->rcmd_state.c_msg);

			tocopy = (needed >= n ? n : needed);

			ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp));
			ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <=
				DB_LIM(tmi->rcmd_state.c_msg));

			/* Copy to end of new mblk */
			bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr,
				tocopy);

			tmi->rcmd_state.c_msg->b_wptr += tocopy;

			bp->b_rptr += tocopy;

			nextp = bp->b_cont;

			/*
			 * If we used this whole block, free it and
			 * move on.
			 */
			if (!MBLKL(bp)) {
				freeb(bp);
				bp = NULL;
			}

			/* If we got what we needed, stop the loop */
			if (MBLKL(tmi->rcmd_state.c_msg) ==
			    tmi->rcmd_state.cd_len) {
				/*
				 * If there is more data in the message,
				 * its for another block of cipher text,
				 * put it back in the queue for next time.
				 */
				if (bp) {
					if (!putbq(q, bp))
						freemsg(bp);
				} else if (nextp != NULL) {
					/*
					 * If there is more, put it back in the
					 * queue for another pass thru.
					 */
					if (!putbq(q, nextp))
						freemsg(nextp);
				}
				break;
			}
			bp = nextp;
		}
	}
	/*
	 * Finally, if we received all the cipher text data for
	 * this message, decrypt it into a new msg and send it up
	 * to the app.
	 */
	if (tmi->rcmd_state.pt_len > 0 &&
	    MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) {
		mblk_t *bp;
		mblk_t *newbp;

		/*
		 * Now we can use our msg that we created when the
		 * initial message boundary was detected.
		 */
		bp = tmi->rcmd_state.c_msg;
		tmi->rcmd_state.c_msg = NULL;

		newbp = do_decrypt(q, bp);
		if (newbp != NULL) {
			bp = newbp;
			/*
			 * If using RCMD_MODE_V2 ("new" mode),
			 * look at the 4 byte plaintext length that
			 * was just decrypted and compare with the
			 * original pt_len value that was received.
			 */
			if (tmi->dec_data.option_mask &
			    CRYPTOPT_RCMD_MODE_V2) {
				uint32_t pt_len2;

				pt_len2 = *(uint32_t *)bp->b_rptr;
				pt_len2 = ntohl(pt_len2);
				/*
				 * Make sure the 2 pt len fields agree.
				 */
				if (pt_len2 != tmi->rcmd_state.pt_len) {
					cmn_err(CE_WARN,
						"Inconsistent length fields"
						" received %d != %d",
						(int)tmi->rcmd_state.pt_len,
						(int)pt_len2);
					bp->b_datap->db_type = M_ERROR;
					bp->b_rptr = bp->b_datap->db_base;
					*bp->b_rptr = EIO;
					bp->b_wptr = bp->b_rptr + sizeof (char);
					freemsg(bp->b_cont);
					bp->b_cont = NULL;
					tmi->rcmd_state.cd_len = 0;
					qreply(WR(q), bp);
					return (NULL);
				}
				bp->b_rptr += sizeof (uint32_t);
			}

			/*
			 * Trim the decrypted block the length originally
			 * indicated by the sender.  This is to remove any
			 * padding bytes that the sender added to satisfy
			 * requirements of the crypto algorithm.
			 */
			bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len;

			newmp = bp;

			/*
			 * Reset our state to indicate we are ready
			 * for a new message.
			 */
			tmi->rcmd_state.pt_len = 0;
			tmi->rcmd_state.cd_len = 0;
		} else {
#ifdef DEBUG
			cmn_err(CE_WARN,
				"decrypt_rcmd: do_decrypt on %d bytes failed",
				(int)tmi->rcmd_state.cd_len);
#endif
			/*
			 * do_decrypt already handled failures, just
			 * return NULL.
			 */
			tmi->rcmd_state.pt_len = 0;
			tmi->rcmd_state.cd_len = 0;
			return (NULL);
		}
	}

	/*
	 * return the new message with the 'length' fields removed
	 */
	return (newmp);
}

/*
 * cryptmodrsrv
 *
 * Read queue service routine
 * Necessary because if the ready flag is not set
 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data
 * must remain on queue and not be passed along.
 */
static int
cryptmodrsrv(queue_t *q)
{
	mblk_t *mp, *bp;
	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;

	while ((mp = getq(q)) != NULL) {
		switch (mp->b_datap->db_type) {
		case M_DATA:
			if (canputnext(q) && tmi->ready & CRYPT_READ_READY) {
				/*
				 * Process "rcmd" messages differently because
				 * they contain a 4 byte plaintext length
				 * id that needs to be removed.
				 */
				if (tmi->dec_data.method != CRYPT_METHOD_NONE &&
				    (tmi->dec_data.option_mask &
				    (CRYPTOPT_RCMD_MODE_V1 |
				    CRYPTOPT_RCMD_MODE_V2))) {
					mp = decrypt_rcmd_mblks(q, mp);
					if (mp)
						putnext(q, mp);
					continue;
				}
				if ((bp = msgpullup(mp, -1)) != NULL) {
					freemsg(mp);
					if (MBLKL(bp) > 0) {
						mp = do_decrypt(q, bp);
						if (mp != NULL)
							putnext(q, mp);
					}
				}
			} else {
				if (!putbq(q, mp)) {
					freemsg(mp);
				}
				return (0);
			}
			break;
		default:
			/*
			 * rput does not queue anything > QPCTL, so we don't
			 * need to check for it here.
			 */
			if (!canputnext(q)) {
				if (!putbq(q, mp))
					freemsg(mp);
				return (0);
			}
			putnext(q, mp);
			break;
		}
	}
	return (0);
}


/*
 * Read-side put procedure.
 */
static int
cryptmodrput(queue_t *rq, mblk_t *mp)
{
	switch (mp->b_datap->db_type) {
	case M_DATA:
		if (!putq(rq, mp)) {
			freemsg(mp);
		}
		break;
	case M_FLUSH:
		if (*mp->b_rptr & FLUSHR) {
			flushq(rq, FLUSHALL);
		}
		putnext(rq, mp);
		break;
	default:
		if (queclass(mp) < QPCTL) {
			if (rq->q_first != NULL || !canputnext(rq)) {
				if (!putq(rq, mp))
					freemsg(mp);
				return (0);
			}
		}
		putnext(rq, mp);
		break;
	}
	return (0);
}