search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge remote-tracking branch 'origin/master'
[unleashed/lotheac.git] / usr / src / uts / common / io / cryptmod.c
blobb4361d2622a87ab1aab3a21f771c1fa0b359f369
1 /*
2 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 *
5 * Copyright (c) 2018, Joyent, Inc.
6 *
7 * STREAMS Crypto Module
8 *
9 * This module is used to facilitate Kerberos encryption
10 * operations for the telnet daemon and rlogin daemon.
11 * Because the Solaris telnet and rlogin daemons run mostly
12 * in-kernel via 'telmod' and 'rlmod', this module must be
13 * pushed on the STREAM *below* telmod or rlmod.
14 *
15 * Parts of the 3DES key derivation code are covered by the
16 * following copyright.
17 *
18 * Copyright (C) 1998 by the FundsXpress, INC.
19 *
20 * All rights reserved.
21 *
22 * Export of this software from the United States of America may require
23 * a specific license from the United States Government. It is the
24 * responsibility of any person or organization contemplating export to
25 * obtain such a license before exporting.
26 *
27 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
28 * distribute this software and its documentation for any purpose and
29 * without fee is hereby granted, provided that the above copyright
30 * notice appear in all copies and that both that copyright notice and
31 * this permission notice appear in supporting documentation, and that
32 * the name of FundsXpress. not be used in advertising or publicity pertaining
33 * to distribution of the software without specific, written prior
34 * permission. FundsXpress makes no representations about the suitability of
35 * this software for any purpose. It is provided "as is" without express
36 * or implied warranty.
37 *
38 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
39 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
40 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
41 */
42
43 #include <sys/types.h>
44 #include <sys/sysmacros.h>
45 #include <sys/errno.h>
46 #include <sys/debug.h>
47 #include <sys/time.h>
48 #include <sys/stropts.h>
49 #include <sys/stream.h>
50 #include <sys/strsubr.h>
51 #include <sys/strlog.h>
52 #include <sys/cmn_err.h>
53 #include <sys/conf.h>
54 #include <sys/sunddi.h>
55 #include <sys/kmem.h>
56 #include <sys/strsun.h>
57 #include <sys/random.h>
58 #include <sys/types.h>
59 #include <sys/byteorder.h>
60 #include <sys/cryptmod.h>
61 #include <sys/crc32.h>
62 #include <sys/policy.h>
63
64 #include <sys/crypto/api.h>
65
66 /*
67 * Function prototypes.
68 */
69 static int cryptmodopen(queue_t *, dev_t *, int, int, cred_t *);
70 static void cryptmodrput(queue_t *, mblk_t *);
71 static void cryptmodwput(queue_t *, mblk_t *);
72 static int cryptmodclose(queue_t *, int, cred_t *);
73 static int cryptmodwsrv(queue_t *);
74 static int cryptmodrsrv(queue_t *);
75
76 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp);
77 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp);
78
79 #define CRYPTMOD_ID 5150
80
81 #define CFB_BLKSZ 8
82
83 #define K5CLENGTH 5
84
85 static struct module_info cryptmod_minfo = {
86 CRYPTMOD_ID, /* mi_idnum */
87 "cryptmod", /* mi_idname */
88 0, /* mi_minpsz */
89 INFPSZ, /* mi_maxpsz */
90 65536, /* mi_hiwat */
91 1024 /* mi_lowat */
92 };
93
94 static struct qinit cryptmod_rinit = {
95 (int (*)())cryptmodrput, /* qi_putp */
96 cryptmodrsrv, /* qi_svc */
97 cryptmodopen, /* qi_qopen */
98 cryptmodclose, /* qi_qclose */
99 NULL, /* qi_qadmin */
100 &cryptmod_minfo, /* qi_minfo */
101 NULL /* qi_mstat */
102 };
103
104 static struct qinit cryptmod_winit = {
105 (int (*)())cryptmodwput, /* qi_putp */
106 cryptmodwsrv, /* qi_srvp */
107 NULL, /* qi_qopen */
108 NULL, /* qi_qclose */
109 NULL, /* qi_qadmin */
110 &cryptmod_minfo, /* qi_minfo */
111 NULL /* qi_mstat */
112 };
113
114 static struct streamtab cryptmod_info = {
115 &cryptmod_rinit, /* st_rdinit */
116 &cryptmod_winit, /* st_wrinit */
117 NULL, /* st_muxrinit */
118 NULL /* st_muxwinit */
119 };
120
121 typedef struct {
122 uint_t hash_len;
123 uint_t confound_len;
124 int (*hashfunc)();
125 } hash_info_t;
126
127 #define MAX_CKSUM_LEN 20
128 #define CONFOUNDER_LEN 8
129
130 #define SHA1_HASHSIZE 20
131 #define MD5_HASHSIZE 16
132 #define CRC32_HASHSIZE 4
133 #define MSGBUF_SIZE 4096
134 #define CONFOUNDER_BYTES 128
135
136
137 static int crc32_calc(uchar_t *, uchar_t *, uint_t);
138 static int md5_calc(uchar_t *, uchar_t *, uint_t);
139 static int sha1_calc(uchar_t *, uchar_t *, uint_t);
140
141 static hash_info_t null_hash = {0, 0, NULL};
142 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc};
143 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc};
144 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc};
145
146 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID;
147 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID;
148 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID;
149 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID;
150
151 static int kef_crypt(struct cipher_data_t *, void *,
152 crypto_data_format_t, size_t, int);
153 static mblk_t *
154 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *,
155 mblk_t *, hash_info_t *);
156 static mblk_t *
157 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *,
158 mblk_t *, hash_info_t *);
159
160 static int
161 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int);
162
163 /*
164 * This is the loadable module wrapper.
165 */
166 #include <sys/modctl.h>
167
168 static struct fmodsw fsw = {
169 "cryptmod",
170 &cryptmod_info,
171 D_MP | D_MTQPAIR
172 };
173
174 /*
175 * Module linkage information for the kernel.
176 */
177 static struct modlstrmod modlstrmod = {
178 &mod_strmodops,
179 "STREAMS encryption module",
180 &fsw
181 };
182
183 static struct modlinkage modlinkage = {
184 MODREV_1,
185 &modlstrmod,
186 NULL
187 };
188
189 int
190 _init(void)
191 {
192 return (mod_install(&modlinkage));
193 }
194
195 int
196 _fini(void)
197 {
198 return (mod_remove(&modlinkage));
199 }
200
201 int
202 _info(struct modinfo *modinfop)
203 {
204 return (mod_info(&modlinkage, modinfop));
205 }
206
207 static void
208 cleanup(struct cipher_data_t *cd)
209 {
210 if (cd->key != NULL) {
211 bzero(cd->key, cd->keylen);
212 kmem_free(cd->key, cd->keylen);
213 cd->key = NULL;
214 }
215
216 if (cd->ckey != NULL) {
217 /*
218 * ckey is a crypto_key_t structure which references
219 * "cd->key" for its raw key data. Since that was already
220 * cleared out, we don't need another "bzero" here.
221 */
222 kmem_free(cd->ckey, sizeof (crypto_key_t));
223 cd->ckey = NULL;
224 }
225
226 if (cd->block != NULL) {
227 kmem_free(cd->block, cd->blocklen);
228 cd->block = NULL;
229 }
230
231 if (cd->saveblock != NULL) {
232 kmem_free(cd->saveblock, cd->blocklen);
233 cd->saveblock = NULL;
234 }
235
236 if (cd->ivec != NULL) {
237 kmem_free(cd->ivec, cd->ivlen);
238 cd->ivec = NULL;
239 }
240
241 if (cd->d_encr_key.ck_data != NULL) {
242 bzero(cd->d_encr_key.ck_data, cd->keylen);
243 kmem_free(cd->d_encr_key.ck_data, cd->keylen);
244 }
245
246 if (cd->d_hmac_key.ck_data != NULL) {
247 bzero(cd->d_hmac_key.ck_data, cd->keylen);
248 kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
249 }
250
251 if (cd->enc_tmpl != NULL)
252 (void) crypto_destroy_ctx_template(cd->enc_tmpl);
253
254 if (cd->hmac_tmpl != NULL)
255 (void) crypto_destroy_ctx_template(cd->hmac_tmpl);
256
257 if (cd->ctx != NULL) {
258 crypto_cancel_ctx(cd->ctx);
259 cd->ctx = NULL;
260 }
261 }
262
263 /* ARGSUSED */
264 static int
265 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp)
266 {
267 struct tmodinfo *tmi;
268 ASSERT(rq);
269
270 if (sflag != MODOPEN)
271 return (EINVAL);
272
273 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
274 "cryptmodopen: opening module(PID %d)",
275 ddi_get_pid()));
276
277 if (rq->q_ptr != NULL) {
278 cmn_err(CE_WARN, "cryptmodopen: already opened");
279 return (0);
280 }
281
282 /*
283 * Allocate and initialize per-Stream structure.
284 */
285 tmi = kmem_zalloc(sizeof (struct tmodinfo), KM_SLEEP);
286
287 tmi->enc_data.method = CRYPT_METHOD_NONE;
288 tmi->dec_data.method = CRYPT_METHOD_NONE;
289
290 tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY);
291
292 rq->q_ptr = WR(rq)->q_ptr = tmi;
293
294 sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC);
295 md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC);
296 sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1);
297 md5_hash_mech = crypto_mech2id(SUN_CKM_MD5);
298
299 qprocson(rq);
300
301 return (0);
302 }
303
304 /* ARGSUSED */
305 static int
306 cryptmodclose(queue_t *rq, int flags __unused, cred_t *credp __unused)
307 {
308 struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr;
309 ASSERT(tmi);
310
311 qprocsoff(rq);
312
313 cleanup(&tmi->enc_data);
314 cleanup(&tmi->dec_data);
315
316 kmem_free(tmi, sizeof (struct tmodinfo));
317 rq->q_ptr = WR(rq)->q_ptr = NULL;
318
319 return (0);
320 }
321
322 /*
323 * plaintext_offset
324 *
325 * Calculate exactly how much space is needed in front
326 * of the "plaintext" in an mbuf so it can be positioned
327 * 1 time instead of potentially moving the data multiple
328 * times.
329 */
330 static int
331 plaintext_offset(struct cipher_data_t *cd)
332 {
333 int headspace = 0;
334
335 /* 4 byte length prepended to all RCMD msgs */
336 if (ANY_RCMD_MODE(cd->option_mask))
337 headspace += RCMD_LEN_SZ;
338
339 /* RCMD V2 mode adds an additional 4 byte plaintext length */
340 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2)
341 headspace += RCMD_LEN_SZ;
342
343 /* Need extra space for hash and counfounder */
344 switch (cd->method) {
345 case CRYPT_METHOD_DES_CBC_NULL:
346 headspace += null_hash.hash_len + null_hash.confound_len;
347 break;
348 case CRYPT_METHOD_DES_CBC_CRC:
349 headspace += crc32_hash.hash_len + crc32_hash.confound_len;
350 break;
351 case CRYPT_METHOD_DES_CBC_MD5:
352 headspace += md5_hash.hash_len + md5_hash.confound_len;
353 break;
354 case CRYPT_METHOD_DES3_CBC_SHA1:
355 headspace += sha1_hash.confound_len;
356 break;
357 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
358 headspace += md5_hash.hash_len + md5_hash.confound_len;
359 break;
360 case CRYPT_METHOD_AES128:
361 case CRYPT_METHOD_AES256:
362 headspace += DEFAULT_AES_BLOCKLEN;
363 break;
364 case CRYPT_METHOD_DES_CFB:
365 case CRYPT_METHOD_NONE:
366 break;
367 }
368
369 return (headspace);
370 }
371 /*
372 * encrypt_size
373 *
374 * Calculate the resulting size when encrypting 'plainlen' bytes
375 * of data.
376 */
377 static size_t
378 encrypt_size(struct cipher_data_t *cd, size_t plainlen)
379 {
380 size_t cipherlen;
381
382 switch (cd->method) {
383 case CRYPT_METHOD_DES_CBC_NULL:
384 cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len +
385 plainlen, 8);
386 break;
387 case CRYPT_METHOD_DES_CBC_MD5:
388 cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len +
389 md5_hash.confound_len +
390 plainlen, 8);
391 break;
392 case CRYPT_METHOD_DES_CBC_CRC:
393 cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len +
394 crc32_hash.confound_len +
395 plainlen, 8);
396 break;
397 case CRYPT_METHOD_DES3_CBC_SHA1:
398 cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len +
399 plainlen, 8) +
400 sha1_hash.hash_len;
401 break;
402 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
403 cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len +
404 plainlen, 1) + md5_hash.hash_len;
405 break;
406 case CRYPT_METHOD_AES128:
407 case CRYPT_METHOD_AES256:
408 /* No roundup for AES-CBC-CTS */
409 cipherlen = DEFAULT_AES_BLOCKLEN + plainlen +
410 AES_TRUNCATED_HMAC_LEN;
411 break;
412 case CRYPT_METHOD_DES_CFB:
413 case CRYPT_METHOD_NONE:
414 cipherlen = plainlen;
415 break;
416 }
417
418 return (cipherlen);
419 }
420
421 /*
422 * des_cfb_encrypt
423 *
424 * Encrypt the mblk data using DES with cipher feedback.
425 *
426 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
427 * vector, D[n] is the nth chunk of 64 bits of data to encrypt
428 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
429 * (decrypted) data, then:
430 *
431 * V[0] = DES(V[i], key)
432 * O[n] = D[n] <exclusive or > V[n]
433 * V[n+1] = DES(O[n], key)
434 *
435 * The size of the message being encrypted does not change in this
436 * algorithm, num_bytes in == num_bytes out.
437 */
438 static mblk_t *
439 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
440 {
441 int savedbytes;
442 char *iptr, *optr, *lastoutput;
443
444 lastoutput = optr = (char *)mp->b_rptr;
445 iptr = (char *)mp->b_rptr;
446 savedbytes = tmi->enc_data.bytes % CFB_BLKSZ;
447
448 while (iptr < (char *)mp->b_wptr) {
449 /*
450 * Do DES-ECB.
451 * The first time this runs, the 'tmi->enc_data.block' will
452 * contain the initialization vector that should have been
453 * passed in with the SETUP ioctl.
454 *
455 * V[n] = DES(V[n-1], key)
456 */
457 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
458 int retval = 0;
459 retval = kef_crypt(&tmi->enc_data,
460 tmi->enc_data.block,
461 CRYPTO_DATA_RAW,
462 tmi->enc_data.blocklen,
463 CRYPT_ENCRYPT);
464
465 if (retval != CRYPTO_SUCCESS) {
466 #ifdef DEBUG
467 cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt "
468 "failed - error 0x%0x", retval);
469 #endif
470 mp->b_datap->db_type = M_ERROR;
471 mp->b_rptr = mp->b_datap->db_base;
472 *mp->b_rptr = EIO;
473 mp->b_wptr = mp->b_rptr + sizeof (char);
474 freemsg(mp->b_cont);
475 mp->b_cont = NULL;
476 qreply(WR(q), mp);
477 return (NULL);
478 }
479 }
480
481 /* O[n] = I[n] ^ V[n] */
482 *(optr++) = *(iptr++) ^
483 tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ];
484
485 tmi->enc_data.bytes++;
486 /*
487 * Feedback the encrypted output as the input to next DES call.
488 */
489 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
490 char *dbptr = tmi->enc_data.block;
491 /*
492 * Get the last bits of input from the previous
493 * msg block that we haven't yet used as feedback input.
494 */
495 if (savedbytes > 0) {
496 bcopy(tmi->enc_data.saveblock,
497 dbptr, (size_t)savedbytes);
498 dbptr += savedbytes;
499 }
500
501 /*
502 * Now copy the correct bytes from the current input
503 * stream and update the 'lastoutput' ptr
504 */
505 bcopy(lastoutput, dbptr,
506 (size_t)(CFB_BLKSZ - savedbytes));
507
508 lastoutput += (CFB_BLKSZ - savedbytes);
509 savedbytes = 0;
510 }
511 }
512 /*
513 * If there are bytes of input here that we need in the next
514 * block to build an ivec, save them off here.
515 */
516 if (lastoutput < optr) {
517 bcopy(lastoutput,
518 tmi->enc_data.saveblock + savedbytes,
519 (uint_t)(optr - lastoutput));
520 }
521 return (mp);
522 }
523
524 /*
525 * des_cfb_decrypt
526 *
527 * Decrypt the data in the mblk using DES in Cipher Feedback mode
528 *
529 * # bytes in == # bytes out, no padding, confounding, or hashing
530 * is added.
531 *
532 */
533 static mblk_t *
534 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
535 {
536 uint_t len;
537 uint_t savedbytes;
538 char *iptr;
539 char *lastinput;
540 uint_t cp;
541
542 len = MBLKL(mp);
543
544 /* decrypted output goes into the new data buffer */
545 lastinput = iptr = (char *)mp->b_rptr;
546
547 savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen;
548
549 /*
550 * Save the input CFB_BLKSZ bytes at a time.
551 * We are trying to decrypt in-place, but need to keep
552 * a small sliding window of encrypted text to be
553 * used to construct the feedback buffer.
554 */
555 cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len :
556 tmi->dec_data.blocklen - savedbytes);
557
558 bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp);
559 savedbytes += cp;
560
561 lastinput += cp;
562
563 while (iptr < (char *)mp->b_wptr) {
564 /*
565 * Do DES-ECB.
566 * The first time this runs, the 'tmi->dec_data.block' will
567 * contain the initialization vector that should have been
568 * passed in with the SETUP ioctl.
569 */
570 if (!(tmi->dec_data.bytes % CFB_BLKSZ)) {
571 int retval;
572 retval = kef_crypt(&tmi->dec_data,
573 tmi->dec_data.block,
574 CRYPTO_DATA_RAW,
575 tmi->dec_data.blocklen,
576 CRYPT_ENCRYPT);
577
578 if (retval != CRYPTO_SUCCESS) {
579 #ifdef DEBUG
580 cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt "
581 "failed - status 0x%0x", retval);
582 #endif
583 mp->b_datap->db_type = M_ERROR;
584 mp->b_rptr = mp->b_datap->db_base;
585 *mp->b_rptr = EIO;
586 mp->b_wptr = mp->b_rptr + sizeof (char);
587 freemsg(mp->b_cont);
588 mp->b_cont = NULL;
589 qreply(WR(q), mp);
590 return (NULL);
591 }
592 }
593
594 /*
595 * To decrypt, XOR the input with the output from the DES call
596 */
597 *(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes %
598 CFB_BLKSZ];
599
600 tmi->dec_data.bytes++;
601
602 /*
603 * Feedback the encrypted input for next DES call.
604 */
605 if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) {
606 char *dbptr = tmi->dec_data.block;
607 /*
608 * Get the last bits of input from the previous block
609 * that we haven't yet processed.
610 */
611 if (savedbytes > 0) {
612 bcopy(tmi->dec_data.saveblock,
613 dbptr, savedbytes);
614 dbptr += savedbytes;
615 }
616
617 savedbytes = 0;
618
619 /*
620 * This block makes sure that our local
621 * buffer of input data is full and can
622 * be accessed from the beginning.
623 */
624 if (lastinput < (char *)mp->b_wptr) {
625
626 /* How many bytes are left in the mblk? */
627 cp = (((char *)mp->b_wptr - lastinput) >
628 tmi->dec_data.blocklen ?
629 tmi->dec_data.blocklen :
630 (char *)mp->b_wptr - lastinput);
631
632 /* copy what we need */
633 bcopy(lastinput, tmi->dec_data.saveblock,
634 cp);
635
636 lastinput += cp;
637 savedbytes = cp;
638 }
639 }
640 }
641
642 return (mp);
643 }
644
645 /*
646 * crc32_calc
647 *
648 * Compute a CRC32 checksum on the input
649 */
650 static int
651 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len)
652 {
653 uint32_t crc;
654
655 CRC32(crc, input, len, 0, crc32_table);
656
657 buf[0] = (uchar_t)(crc & 0xff);
658 buf[1] = (uchar_t)((crc >> 8) & 0xff);
659 buf[2] = (uchar_t)((crc >> 16) & 0xff);
660 buf[3] = (uchar_t)((crc >> 24) & 0xff);
661
662 return (CRYPTO_SUCCESS);
663 }
664
665 static int
666 kef_digest(crypto_mech_type_t digest_type,
667 uchar_t *input, uint_t inlen,
668 uchar_t *output, uint_t hashlen)
669 {
670 iovec_t v1, v2;
671 crypto_data_t d1, d2;
672 crypto_mechanism_t mech;
673 int rv;
674
675 mech.cm_type = digest_type;
676 mech.cm_param = 0;
677 mech.cm_param_len = 0;
678
679 v1.iov_base = (void *)input;
680 v1.iov_len = inlen;
681
682 d1.cd_format = CRYPTO_DATA_RAW;
683 d1.cd_offset = 0;
684 d1.cd_length = v1.iov_len;
685 d1.cd_raw = v1;
686
687 v2.iov_base = (void *)output;
688 v2.iov_len = hashlen;
689
690 d2.cd_format = CRYPTO_DATA_RAW;
691 d2.cd_offset = 0;
692 d2.cd_length = v2.iov_len;
693 d2.cd_raw = v2;
694
695 rv = crypto_digest(&mech, &d1, &d2, NULL);
696
697 return (rv);
698 }
699
700 /*
701 * sha1_calc
702 *
703 * Get a SHA1 hash on the input data.
704 */
705 static int
706 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen)
707 {
708 int rv;
709
710 rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE);
711
712 return (rv);
713 }
714
715 /*
716 * Get an MD5 hash on the input data.
717 * md5_calc
718 *
719 */
720 static int
721 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen)
722 {
723 int rv;
724
725 rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE);
726
727 return (rv);
728 }
729
730 /*
731 * nfold
732 * duplicate the functionality of the krb5_nfold function from
733 * the userland kerberos mech.
734 * This is needed to derive keys for use with 3DES/SHA1-HMAC
735 * ciphers.
736 */
737 static void
738 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out)
739 {
740 int a, b, c, lcm;
741 int byte, i, msbit;
742
743 inbits >>= 3;
744 outbits >>= 3;
745
746 /* first compute lcm(n,k) */
747 a = outbits;
748 b = inbits;
749
750 while (b != 0) {
751 c = b;
752 b = a%b;
753 a = c;
754 }
755
756 lcm = outbits*inbits/a;
757
758 /* now do the real work */
759
760 bzero(out, outbits);
761 byte = 0;
762
763 /*
764 * Compute the msbit in k which gets added into this byte
765 * first, start with the msbit in the first, unrotated byte
766 * then, for each byte, shift to the right for each repetition
767 * last, pick out the correct byte within that shifted repetition
768 */
769 for (i = lcm-1; i >= 0; i--) {
770 msbit = (((inbits<<3)-1)
771 +(((inbits<<3)+13)*(i/inbits))
772 +((inbits-(i%inbits))<<3)) %(inbits<<3);
773
774 /* pull out the byte value itself */
775 byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)|
776 (in[((inbits)-(msbit>>3))%inbits]))
777 >>((msbit&7)+1))&0xff;
778
779 /* do the addition */
780 byte += out[i%outbits];
781 out[i%outbits] = byte&0xff;
782
783 byte >>= 8;
784 }
785
786 /* if there's a carry bit left over, add it back in */
787 if (byte) {
788 for (i = outbits-1; i >= 0; i--) {
789 /* do the addition */
790 byte += out[i];
791 out[i] = byte&0xff;
792
793 /* keep around the carry bit, if any */
794 byte >>= 8;
795 }
796 }
797 }
798
799 #define smask(step) ((1<<step)-1)
800 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
801 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
802
803 /*
804 * Duplicate the functionality of the "dk_derive_key" function
805 * in the Kerberos mechanism.
806 */
807 static int
808 derive_key(struct cipher_data_t *cdata, uchar_t *constdata,
809 int constlen, char *dkey, int keybytes,
810 int blocklen)
811 {
812 int rv = 0;
813 int n = 0, i;
814 char *inblock;
815 char *rawkey;
816 char *zeroblock;
817 char *saveblock;
818
819 inblock = kmem_zalloc(blocklen, KM_SLEEP);
820 rawkey = kmem_zalloc(keybytes, KM_SLEEP);
821 zeroblock = kmem_zalloc(blocklen, KM_SLEEP);
822
823 if (constlen == blocklen)
824 bcopy(constdata, inblock, blocklen);
825 else
826 nfold(constlen * 8, constdata,
827 blocklen * 8, (uchar_t *)inblock);
828
829 /*
830 * zeroblock is an IV of all 0's.
831 *
832 * The "block" section of the cdata record is used as the
833 * IV for crypto operations in the kef_crypt function.
834 *
835 * We use 'block' as a generic IV data buffer because it
836 * is attached to the stream state data and thus can
837 * be used to hold information that must carry over
838 * from processing of one mblk to another.
839 *
840 * Here, we save the current IV and replace it with
841 * and empty IV (all 0's) for use when deriving the
842 * keys. Once the key derivation is done, we swap the
843 * old IV back into place.
844 */
845 saveblock = cdata->block;
846 cdata->block = zeroblock;
847
848 while (n < keybytes) {
849 rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW,
850 blocklen, CRYPT_ENCRYPT);
851 if (rv != CRYPTO_SUCCESS) {
852 /* put the original IV block back in place */
853 cdata->block = saveblock;
854 cmn_err(CE_WARN, "failed to derive a key: %0x", rv);
855 goto cleanup;
856 }
857
858 if (keybytes - n < blocklen) {
859 bcopy(inblock, rawkey+n, (keybytes-n));
860 break;
861 }
862 bcopy(inblock, rawkey+n, blocklen);
863 n += blocklen;
864 }
865 /* put the original IV block back in place */
866 cdata->block = saveblock;
867
868 /* finally, make the key */
869 if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) {
870 /*
871 * 3DES key derivation requires that we make sure the
872 * key has the proper parity.
873 */
874 for (i = 0; i < 3; i++) {
875 bcopy(rawkey+(i*7), dkey+(i*8), 7);
876
877 /* 'dkey' is our derived key output buffer */
878 dkey[i*8+7] = (((dkey[i*8]&1)<<1) |
879 ((dkey[i*8+1]&1)<<2) |
880 ((dkey[i*8+2]&1)<<3) |
881 ((dkey[i*8+3]&1)<<4) |
882 ((dkey[i*8+4]&1)<<5) |
883 ((dkey[i*8+5]&1)<<6) |
884 ((dkey[i*8+6]&1)<<7));
885
886 for (n = 0; n < 8; n++) {
887 dkey[i*8 + n] &= 0xfe;
888 dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]);
889 }
890 }
891 } else if (IS_AES_METHOD(cdata->method)) {
892 bcopy(rawkey, dkey, keybytes);
893 }
894 cleanup:
895 kmem_free(inblock, blocklen);
896 kmem_free(zeroblock, blocklen);
897 kmem_free(rawkey, keybytes);
898 return (rv);
899 }
900
901 /*
902 * create_derived_keys
903 *
904 * Algorithm for deriving a new key and an HMAC key
905 * before computing the 3DES-SHA1-HMAC operation on the plaintext
906 * This algorithm matches the work done by Kerberos mechanism
907 * in userland.
908 */
909 static int
910 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage,
911 crypto_key_t *enckey, crypto_key_t *hmackey)
912 {
913 uchar_t constdata[K5CLENGTH];
914 int keybytes;
915 int rv;
916
917 constdata[0] = (usage>>24)&0xff;
918 constdata[1] = (usage>>16)&0xff;
919 constdata[2] = (usage>>8)&0xff;
920 constdata[3] = usage & 0xff;
921 /* Use "0xAA" for deriving encryption key */
922 constdata[4] = 0xAA; /* from MIT Kerberos code */
923
924 enckey->ck_length = cdata->keylen * 8;
925 enckey->ck_format = CRYPTO_KEY_RAW;
926 enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
927
928 switch (cdata->method) {
929 case CRYPT_METHOD_DES_CFB:
930 case CRYPT_METHOD_DES_CBC_NULL:
931 case CRYPT_METHOD_DES_CBC_MD5:
932 case CRYPT_METHOD_DES_CBC_CRC:
933 keybytes = 8;
934 break;
935 case CRYPT_METHOD_DES3_CBC_SHA1:
936 keybytes = CRYPT_DES3_KEYBYTES;
937 break;
938 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
939 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
940 keybytes = CRYPT_ARCFOUR_KEYBYTES;
941 break;
942 case CRYPT_METHOD_AES128:
943 keybytes = CRYPT_AES128_KEYBYTES;
944 break;
945 case CRYPT_METHOD_AES256:
946 keybytes = CRYPT_AES256_KEYBYTES;
947 break;
948 }
949
950 /* derive main crypto key */
951 rv = derive_key(cdata, constdata, sizeof (constdata),
952 enckey->ck_data, keybytes, cdata->blocklen);
953
954 if (rv == CRYPTO_SUCCESS) {
955
956 /* Use "0x55" for deriving mac key */
957 constdata[4] = 0x55;
958
959 hmackey->ck_length = cdata->keylen * 8;
960 hmackey->ck_format = CRYPTO_KEY_RAW;
961 hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
962
963 rv = derive_key(cdata, constdata, sizeof (constdata),
964 hmackey->ck_data, keybytes,
965 cdata->blocklen);
966 } else {
967 cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv);
968 }
969
970 return (rv);
971 }
972
973 /*
974 * Compute 3-DES crypto and HMAC.
975 */
976 static int
977 kef_decr_hmac(struct cipher_data_t *cdata,
978 mblk_t *mp, int length,
979 char *hmac, int hmaclen)
980 {
981 int rv = CRYPTO_FAILED;
982
983 crypto_mechanism_t encr_mech;
984 crypto_mechanism_t mac_mech;
985 crypto_data_t dd;
986 crypto_data_t mac;
987 iovec_t v1;
988
989 ASSERT(cdata != NULL);
990 ASSERT(mp != NULL);
991 ASSERT(hmac != NULL);
992
993 bzero(&dd, sizeof (dd));
994 dd.cd_format = CRYPTO_DATA_MBLK;
995 dd.cd_offset = 0;
996 dd.cd_length = length;
997 dd.cd_mp = mp;
998
999 v1.iov_base = hmac;
1000 v1.iov_len = hmaclen;
1001
1002 mac.cd_format = CRYPTO_DATA_RAW;
1003 mac.cd_offset = 0;
1004 mac.cd_length = hmaclen;
1005 mac.cd_raw = v1;
1006
1007 /*
1008 * cdata->block holds the IVEC
1009 */
1010 encr_mech.cm_type = cdata->mech_type;
1011 encr_mech.cm_param = cdata->block;
1012
1013 if (cdata->block != NULL)
1014 encr_mech.cm_param_len = cdata->blocklen;
1015 else
1016 encr_mech.cm_param_len = 0;
1017
1018 rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key,
1019 cdata->enc_tmpl, NULL, NULL);
1020 if (rv != CRYPTO_SUCCESS) {
1021 cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv);
1022 return (rv);
1023 }
1024
1025 mac_mech.cm_type = sha1_hmac_mech;
1026 mac_mech.cm_param = NULL;
1027 mac_mech.cm_param_len = 0;
1028
1029 /*
1030 * Compute MAC of the plaintext decrypted above.
1031 */
1032 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1033 cdata->hmac_tmpl, &mac, NULL);
1034
1035 if (rv != CRYPTO_SUCCESS) {
1036 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1037 }
1038
1039 return (rv);
1040 }
1041
1042 /*
1043 * Compute 3-DES crypto and HMAC.
1044 */
1045 static int
1046 kef_encr_hmac(struct cipher_data_t *cdata,
1047 mblk_t *mp, int length,
1048 char *hmac, int hmaclen)
1049 {
1050 int rv = CRYPTO_FAILED;
1051
1052 crypto_mechanism_t encr_mech;
1053 crypto_mechanism_t mac_mech;
1054 crypto_data_t dd;
1055 crypto_data_t mac;
1056 iovec_t v1;
1057
1058 ASSERT(cdata != NULL);
1059 ASSERT(mp != NULL);
1060 ASSERT(hmac != NULL);
1061
1062 bzero(&dd, sizeof (dd));
1063 dd.cd_format = CRYPTO_DATA_MBLK;
1064 dd.cd_offset = 0;
1065 dd.cd_length = length;
1066 dd.cd_mp = mp;
1067
1068 v1.iov_base = hmac;
1069 v1.iov_len = hmaclen;
1070
1071 mac.cd_format = CRYPTO_DATA_RAW;
1072 mac.cd_offset = 0;
1073 mac.cd_length = hmaclen;
1074 mac.cd_raw = v1;
1075
1076 /*
1077 * cdata->block holds the IVEC
1078 */
1079 encr_mech.cm_type = cdata->mech_type;
1080 encr_mech.cm_param = cdata->block;
1081
1082 if (cdata->block != NULL)
1083 encr_mech.cm_param_len = cdata->blocklen;
1084 else
1085 encr_mech.cm_param_len = 0;
1086
1087 mac_mech.cm_type = sha1_hmac_mech;
1088 mac_mech.cm_param = NULL;
1089 mac_mech.cm_param_len = 0;
1090
1091 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1092 cdata->hmac_tmpl, &mac, NULL);
1093
1094 if (rv != CRYPTO_SUCCESS) {
1095 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1096 return (rv);
1097 }
1098
1099 rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key,
1100 cdata->enc_tmpl, NULL, NULL);
1101 if (rv != CRYPTO_SUCCESS) {
1102 cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv);
1103 }
1104
1105 return (rv);
1106 }
1107
1108 /*
1109 * kef_crypt
1110 *
1111 * Use the Kernel encryption framework to provide the
1112 * crypto operations for the indicated data.
1113 */
1114 static int
1115 kef_crypt(struct cipher_data_t *cdata,
1116 void *indata, crypto_data_format_t fmt,
1117 size_t length, int mode)
1118 {
1119 int rv = CRYPTO_FAILED;
1120
1121 crypto_mechanism_t mech;
1122 crypto_key_t crkey;
1123 iovec_t v1;
1124 crypto_data_t d1;
1125
1126 ASSERT(cdata != NULL);
1127 ASSERT(indata != NULL);
1128 ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK);
1129
1130 bzero(&crkey, sizeof (crkey));
1131 bzero(&d1, sizeof (d1));
1132
1133 crkey.ck_format = CRYPTO_KEY_RAW;
1134 crkey.ck_data = cdata->key;
1135
1136 /* keys are measured in bits, not bytes, so multiply by 8 */
1137 crkey.ck_length = cdata->keylen * 8;
1138
1139 if (fmt == CRYPTO_DATA_RAW) {
1140 v1.iov_base = (char *)indata;
1141 v1.iov_len = length;
1142 }
1143
1144 d1.cd_format = fmt;
1145 d1.cd_offset = 0;
1146 d1.cd_length = length;
1147 if (fmt == CRYPTO_DATA_RAW)
1148 d1.cd_raw = v1;
1149 else if (fmt == CRYPTO_DATA_MBLK)
1150 d1.cd_mp = (mblk_t *)indata;
1151
1152 mech.cm_type = cdata->mech_type;
1153 mech.cm_param = cdata->block;
1154 /*
1155 * cdata->block holds the IVEC
1156 */
1157 if (cdata->block != NULL)
1158 mech.cm_param_len = cdata->blocklen;
1159 else
1160 mech.cm_param_len = 0;
1161
1162 /*
1163 * encrypt and decrypt in-place
1164 */
1165 if (mode == CRYPT_ENCRYPT)
1166 rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1167 else
1168 rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1169
1170 if (rv != CRYPTO_SUCCESS) {
1171 cmn_err(CE_WARN, "%s returned error %08x",
1172 (mode == CRYPT_ENCRYPT ? "crypto_encrypt" :
1173 "crypto_decrypt"), rv);
1174 return (CRYPTO_FAILED);
1175 }
1176
1177 return (rv);
1178 }
1179
1180 static int
1181 do_hmac(crypto_mech_type_t mech,
1182 crypto_key_t *key,
1183 char *data, int datalen,
1184 char *hmac, int hmaclen)
1185 {
1186 int rv = 0;
1187 crypto_mechanism_t mac_mech;
1188 crypto_data_t dd;
1189 crypto_data_t mac;
1190 iovec_t vdata, vmac;
1191
1192 mac_mech.cm_type = mech;
1193 mac_mech.cm_param = NULL;
1194 mac_mech.cm_param_len = 0;
1195
1196 vdata.iov_base = data;
1197 vdata.iov_len = datalen;
1198
1199 bzero(&dd, sizeof (dd));
1200 dd.cd_format = CRYPTO_DATA_RAW;
1201 dd.cd_offset = 0;
1202 dd.cd_length = datalen;
1203 dd.cd_raw = vdata;
1204
1205 vmac.iov_base = hmac;
1206 vmac.iov_len = hmaclen;
1207
1208 mac.cd_format = CRYPTO_DATA_RAW;
1209 mac.cd_offset = 0;
1210 mac.cd_length = hmaclen;
1211 mac.cd_raw = vmac;
1212
1213 /*
1214 * Compute MAC of the plaintext decrypted above.
1215 */
1216 rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL);
1217
1218 if (rv != CRYPTO_SUCCESS) {
1219 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1220 }
1221
1222 return (rv);
1223 }
1224
1225 #define XOR_BLOCK(src, dst) \
1226 (dst)[0] ^= (src)[0]; \
1227 (dst)[1] ^= (src)[1]; \
1228 (dst)[2] ^= (src)[2]; \
1229 (dst)[3] ^= (src)[3]; \
1230 (dst)[4] ^= (src)[4]; \
1231 (dst)[5] ^= (src)[5]; \
1232 (dst)[6] ^= (src)[6]; \
1233 (dst)[7] ^= (src)[7]; \
1234 (dst)[8] ^= (src)[8]; \
1235 (dst)[9] ^= (src)[9]; \
1236 (dst)[10] ^= (src)[10]; \
1237 (dst)[11] ^= (src)[11]; \
1238 (dst)[12] ^= (src)[12]; \
1239 (dst)[13] ^= (src)[13]; \
1240 (dst)[14] ^= (src)[14]; \
1241 (dst)[15] ^= (src)[15]
1242
1243 #define xorblock(x, y) XOR_BLOCK(y, x)
1244
1245 static int
1246 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length)
1247 {
1248 int result = CRYPTO_SUCCESS;
1249 unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1250 unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1251 unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1252 int nblocks = 0, blockno;
1253 crypto_data_t ct, pt;
1254 crypto_mechanism_t mech;
1255
1256 mech.cm_type = tmi->enc_data.mech_type;
1257 if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) {
1258 bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1259 } else {
1260 bzero(tmp, sizeof (tmp));
1261 }
1262 mech.cm_param = NULL;
1263 mech.cm_param_len = 0;
1264
1265 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1266
1267 bzero(&ct, sizeof (crypto_data_t));
1268 bzero(&pt, sizeof (crypto_data_t));
1269
1270 if (nblocks == 1) {
1271 pt.cd_format = CRYPTO_DATA_RAW;
1272 pt.cd_length = length;
1273 pt.cd_raw.iov_base = (char *)plain;
1274 pt.cd_raw.iov_len = length;
1275
1276 result = crypto_encrypt(&mech, &pt,
1277 &tmi->enc_data.d_encr_key, NULL, NULL, NULL);
1278
1279 if (result != CRYPTO_SUCCESS) {
1280 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1281 "crypto_encrypt failed: %0x", result);
1282 }
1283 } else {
1284 size_t nleft;
1285
1286 ct.cd_format = CRYPTO_DATA_RAW;
1287 ct.cd_offset = 0;
1288 ct.cd_length = DEFAULT_AES_BLOCKLEN;
1289
1290 pt.cd_format = CRYPTO_DATA_RAW;
1291 pt.cd_offset = 0;
1292 pt.cd_length = DEFAULT_AES_BLOCKLEN;
1293
1294 result = crypto_encrypt_init(&mech,
1295 &tmi->enc_data.d_encr_key,
1296 tmi->enc_data.enc_tmpl,
1297 &tmi->enc_data.ctx, NULL);
1298
1299 if (result != CRYPTO_SUCCESS) {
1300 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1301 "crypto_encrypt_init failed: %0x", result);
1302 goto cleanup;
1303 }
1304
1305 for (blockno = 0; blockno < nblocks - 2; blockno++) {
1306 xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN);
1307
1308 pt.cd_raw.iov_base = (char *)tmp;
1309 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1310
1311 ct.cd_raw.iov_base = (char *)plain +
1312 blockno * DEFAULT_AES_BLOCKLEN;
1313 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1314
1315 result = crypto_encrypt_update(tmi->enc_data.ctx,
1316 &pt, &ct, NULL);
1317
1318 if (result != CRYPTO_SUCCESS) {
1319 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1320 "crypto_encrypt_update failed: %0x",
1321 result);
1322 goto cleanup;
1323 }
1324 /* copy result over original bytes */
1325 /* make another copy for the next XOR step */
1326 bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN,
1327 tmp, DEFAULT_AES_BLOCKLEN);
1328 }
1329 /* XOR cipher text from n-3 with plain text from n-2 */
1330 xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1331
1332 pt.cd_raw.iov_base = (char *)tmp;
1333 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1334
1335 ct.cd_raw.iov_base = (char *)tmp2;
1336 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1337
1338 /* encrypt XOR-ed block N-2 */
1339 result = crypto_encrypt_update(tmi->enc_data.ctx,
1340 &pt, &ct, NULL);
1341 if (result != CRYPTO_SUCCESS) {
1342 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1343 "crypto_encrypt_update(2) failed: %0x",
1344 result);
1345 goto cleanup;
1346 }
1347 nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN;
1348
1349 bzero(tmp3, sizeof (tmp3));
1350 /* Save final plaintext bytes from n-1 */
1351 bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1352 nleft);
1353
1354 /* Overwrite n-1 with cipher text from n-2 */
1355 bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1356 nleft);
1357
1358 bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN);
1359 /* XOR cipher text from n-1 with plain text from n-1 */
1360 xorblock(tmp, tmp3);
1361
1362 pt.cd_raw.iov_base = (char *)tmp;
1363 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1364
1365 ct.cd_raw.iov_base = (char *)tmp2;
1366 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1367
1368 /* encrypt block N-2 */
1369 result = crypto_encrypt_update(tmi->enc_data.ctx,
1370 &pt, &ct, NULL);
1371
1372 if (result != CRYPTO_SUCCESS) {
1373 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1374 "crypto_encrypt_update(3) failed: %0x",
1375 result);
1376 goto cleanup;
1377 }
1378
1379 bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1380 DEFAULT_AES_BLOCKLEN);
1381
1382
1383 ct.cd_raw.iov_base = (char *)tmp2;
1384 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1385
1386 /*
1387 * Ignore the output on the final step.
1388 */
1389 result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL);
1390 if (result != CRYPTO_SUCCESS) {
1391 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1392 "crypto_encrypt_final(3) failed: %0x",
1393 result);
1394 }
1395 tmi->enc_data.ctx = NULL;
1396 }
1397 cleanup:
1398 bzero(tmp, sizeof (tmp));
1399 bzero(tmp2, sizeof (tmp));
1400 bzero(tmp3, sizeof (tmp));
1401 bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
1402 return (result);
1403 }
1404
1405 static int
1406 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length)
1407 {
1408 int result = CRYPTO_SUCCESS;
1409 unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1410 unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1411 unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1412 int nblocks = 0, blockno;
1413 crypto_data_t ct, pt;
1414 crypto_mechanism_t mech;
1415
1416 mech.cm_type = tmi->enc_data.mech_type;
1417
1418 if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1419 tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) {
1420 bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1421 } else {
1422 bzero(tmp, sizeof (tmp));
1423 }
1424 mech.cm_param_len = 0;
1425 mech.cm_param = NULL;
1426
1427 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1428
1429 bzero(&pt, sizeof (pt));
1430 bzero(&ct, sizeof (ct));
1431
1432 if (nblocks == 1) {
1433 ct.cd_format = CRYPTO_DATA_RAW;
1434 ct.cd_length = length;
1435 ct.cd_raw.iov_base = (char *)buff;
1436 ct.cd_raw.iov_len = length;
1437
1438 result = crypto_decrypt(&mech, &ct,
1439 &tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1440
1441 if (result != CRYPTO_SUCCESS) {
1442 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1443 "crypto_decrypt failed: %0x", result);
1444 goto cleanup;
1445 }
1446 } else {
1447 ct.cd_format = CRYPTO_DATA_RAW;
1448 ct.cd_offset = 0;
1449 ct.cd_length = DEFAULT_AES_BLOCKLEN;
1450
1451 pt.cd_format = CRYPTO_DATA_RAW;
1452 pt.cd_offset = 0;
1453 pt.cd_length = DEFAULT_AES_BLOCKLEN;
1454
1455 result = crypto_decrypt_init(&mech,
1456 &tmi->dec_data.d_encr_key,
1457 tmi->dec_data.enc_tmpl,
1458 &tmi->dec_data.ctx, NULL);
1459
1460 if (result != CRYPTO_SUCCESS) {
1461 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1462 "crypto_decrypt_init failed: %0x", result);
1463 goto cleanup;
1464 }
1465 for (blockno = 0; blockno < nblocks - 2; blockno++) {
1466 ct.cd_raw.iov_base = (char *)buff +
1467 (blockno * DEFAULT_AES_BLOCKLEN);
1468 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1469
1470 pt.cd_raw.iov_base = (char *)tmp2;
1471 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1472
1473 /*
1474 * Save the input to the decrypt so it can
1475 * be used later for an XOR operation
1476 */
1477 bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN),
1478 tmi->dec_data.block, DEFAULT_AES_BLOCKLEN);
1479
1480 result = crypto_decrypt_update(tmi->dec_data.ctx,
1481 &ct, &pt, NULL);
1482 if (result != CRYPTO_SUCCESS) {
1483 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1484 "crypto_decrypt_update(1) error - "
1485 "result = 0x%08x", result);
1486 goto cleanup;
1487 }
1488 xorblock(tmp2, tmp);
1489 bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN,
1490 DEFAULT_AES_BLOCKLEN);
1491 /*
1492 * The original cipher text is used as the xor
1493 * for the next block, save it here.
1494 */
1495 bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN);
1496 }
1497 ct.cd_raw.iov_base = (char *)buff +
1498 ((nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1499 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1500 pt.cd_raw.iov_base = (char *)tmp2;
1501 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1502
1503 result = crypto_decrypt_update(tmi->dec_data.ctx,
1504 &ct, &pt, NULL);
1505 if (result != CRYPTO_SUCCESS) {
1506 cmn_err(CE_WARN,
1507 "aes_cbc_cts_decrypt: "
1508 "crypto_decrypt_update(2) error -"
1509 " result = 0x%08x", result);
1510 goto cleanup;
1511 }
1512 bzero(tmp3, sizeof (tmp3));
1513 bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1514 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1515
1516 xorblock(tmp2, tmp3);
1517 bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1518 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1519
1520 /* 2nd to last block ... */
1521 bcopy(tmp3, tmp2,
1522 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1523
1524 ct.cd_raw.iov_base = (char *)tmp2;
1525 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1526 pt.cd_raw.iov_base = (char *)tmp3;
1527 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1528
1529 result = crypto_decrypt_update(tmi->dec_data.ctx,
1530 &ct, &pt, NULL);
1531 if (result != CRYPTO_SUCCESS) {
1532 cmn_err(CE_WARN,
1533 "aes_cbc_cts_decrypt: "
1534 "crypto_decrypt_update(3) error - "
1535 "result = 0x%08x", result);
1536 goto cleanup;
1537 }
1538 xorblock(tmp3, tmp);
1539
1540
1541 /* Finally, update the 2nd to last block and we are done. */
1542 bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1543 DEFAULT_AES_BLOCKLEN);
1544
1545 /* Do Final step, but ignore output */
1546 pt.cd_raw.iov_base = (char *)tmp2;
1547 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1548 result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL);
1549 if (result != CRYPTO_SUCCESS) {
1550 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1551 "crypto_decrypt_final error - "
1552 "result = 0x%0x", result);
1553 }
1554 tmi->dec_data.ctx = NULL;
1555 }
1556
1557 cleanup:
1558 bzero(tmp, sizeof (tmp));
1559 bzero(tmp2, sizeof (tmp));
1560 bzero(tmp3, sizeof (tmp));
1561 bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
1562 return (result);
1563 }
1564
1565 /*
1566 * AES decrypt
1567 *
1568 * format of ciphertext when using AES
1569 * +-------------+------------+------------+
1570 * | confounder | msg-data | hmac |
1571 * +-------------+------------+------------+
1572 */
1573 static mblk_t *
1574 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1575 hash_info_t *hash)
1576 {
1577 int result;
1578 size_t enclen;
1579 size_t inlen;
1580 uchar_t hmacbuff[64];
1581 uchar_t tmpiv[DEFAULT_AES_BLOCKLEN];
1582
1583 inlen = (size_t)MBLKL(mp);
1584
1585 enclen = inlen - AES_TRUNCATED_HMAC_LEN;
1586 if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1587 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) {
1588 int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) /
1589 DEFAULT_AES_BLOCKLEN;
1590 bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2),
1591 tmpiv, DEFAULT_AES_BLOCKLEN);
1592 }
1593
1594 /* AES Decrypt */
1595 result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen);
1596
1597 if (result != CRYPTO_SUCCESS) {
1598 cmn_err(CE_WARN,
1599 "aes_decrypt: aes_cbc_cts_decrypt "
1600 "failed - error %0x", result);
1601 goto cleanup;
1602 }
1603
1604 /* Verify the HMAC */
1605 result = do_hmac(sha1_hmac_mech,
1606 &tmi->dec_data.d_hmac_key,
1607 (char *)mp->b_rptr, enclen,
1608 (char *)hmacbuff, hash->hash_len);
1609
1610 if (result != CRYPTO_SUCCESS) {
1611 cmn_err(CE_WARN,
1612 "aes_decrypt: do_hmac failed - error %0x", result);
1613 goto cleanup;
1614 }
1615
1616 if (bcmp(hmacbuff, mp->b_rptr + enclen,
1617 AES_TRUNCATED_HMAC_LEN) != 0) {
1618 result = -1;
1619 cmn_err(CE_WARN, "aes_decrypt: checksum verification failed");
1620 goto cleanup;
1621 }
1622
1623 /* truncate the mblk at the end of the decrypted text */
1624 mp->b_wptr = mp->b_rptr + enclen;
1625
1626 /* Adjust the beginning of the buffer to skip the confounder */
1627 mp->b_rptr += DEFAULT_AES_BLOCKLEN;
1628
1629 if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1630 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0)
1631 bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN);
1632
1633 cleanup:
1634 if (result != CRYPTO_SUCCESS) {
1635 mp->b_datap->db_type = M_ERROR;
1636 mp->b_rptr = mp->b_datap->db_base;
1637 *mp->b_rptr = EIO;
1638 mp->b_wptr = mp->b_rptr + sizeof (char);
1639 freemsg(mp->b_cont);
1640 mp->b_cont = NULL;
1641 qreply(WR(q), mp);
1642 return (NULL);
1643 }
1644 return (mp);
1645 }
1646
1647 /*
1648 * AES encrypt
1649 *
1650 * format of ciphertext when using AES
1651 * +-------------+------------+------------+
1652 * | confounder | msg-data | hmac |
1653 * +-------------+------------+------------+
1654 */
1655 static mblk_t *
1656 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1657 hash_info_t *hash)
1658 {
1659 int result;
1660 size_t cipherlen;
1661 size_t inlen;
1662 uchar_t hmacbuff[64];
1663
1664 inlen = (size_t)MBLKL(mp);
1665
1666 cipherlen = encrypt_size(&tmi->enc_data, inlen);
1667
1668 ASSERT(MBLKSIZE(mp) >= cipherlen);
1669
1670 /*
1671 * Shift the rptr back enough to insert the confounder.
1672 */
1673 mp->b_rptr -= DEFAULT_AES_BLOCKLEN;
1674
1675 /* Get random data for confounder */
1676 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
1677 DEFAULT_AES_BLOCKLEN);
1678
1679 /*
1680 * Because we encrypt in-place, we need to calculate
1681 * the HMAC of the plaintext now, then stick it on
1682 * the end of the ciphertext down below.
1683 */
1684 result = do_hmac(sha1_hmac_mech,
1685 &tmi->enc_data.d_hmac_key,
1686 (char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen,
1687 (char *)hmacbuff, hash->hash_len);
1688
1689 if (result != CRYPTO_SUCCESS) {
1690 cmn_err(CE_WARN, "aes_encrypt: do_hmac failed - error %0x",
1691 result);
1692 goto cleanup;
1693 }
1694 /* Encrypt using AES-CBC-CTS */
1695 result = aes_cbc_cts_encrypt(tmi, mp->b_rptr,
1696 inlen + DEFAULT_AES_BLOCKLEN);
1697
1698 if (result != CRYPTO_SUCCESS) {
1699 cmn_err(CE_WARN, "aes_encrypt: aes_cbc_cts_encrypt "
1700 "failed - error %0x", result);
1701 goto cleanup;
1702 }
1703
1704 /* copy the truncated HMAC to the end of the mblk */
1705 bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen,
1706 AES_TRUNCATED_HMAC_LEN);
1707
1708 mp->b_wptr = mp->b_rptr + cipherlen;
1709
1710 /*
1711 * The final block of cipher text (not the HMAC) is used
1712 * as the next IV.
1713 */
1714 if (tmi->enc_data.ivec_usage != IVEC_NEVER &&
1715 tmi->enc_data.ivec != NULL) {
1716 int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) /
1717 DEFAULT_AES_BLOCKLEN;
1718
1719 bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1720 tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN);
1721 }
1722
1723 cleanup:
1724 if (result != CRYPTO_SUCCESS) {
1725 mp->b_datap->db_type = M_ERROR;
1726 mp->b_rptr = mp->b_datap->db_base;
1727 *mp->b_rptr = EIO;
1728 mp->b_wptr = mp->b_rptr + sizeof (char);
1729 freemsg(mp->b_cont);
1730 mp->b_cont = NULL;
1731 qreply(WR(q), mp);
1732 return (NULL);
1733 }
1734 return (mp);
1735 }
1736
1737 /*
1738 * ARCFOUR-HMAC-MD5 decrypt
1739 *
1740 * format of ciphertext when using ARCFOUR-HMAC-MD5
1741 * +-----------+------------+------------+
1742 * | hmac | confounder | msg-data |
1743 * +-----------+------------+------------+
1744 *
1745 */
1746 static mblk_t *
1747 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1748 hash_info_t *hash)
1749 {
1750 int result;
1751 size_t cipherlen;
1752 size_t inlen;
1753 size_t saltlen;
1754 crypto_key_t k1, k2;
1755 crypto_data_t indata;
1756 iovec_t v1;
1757 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1758 0xab, 0xab, 0xab, 0xab };
1759 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1760 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1761 uchar_t cksum[MD5_HASHSIZE];
1762 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1763 crypto_mechanism_t mech;
1764 int usage;
1765
1766 bzero(&indata, sizeof (indata));
1767
1768 /* The usage constant is 1026 for all "old" rcmd mode operations */
1769 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1770 usage = RCMDV1_USAGE;
1771 else
1772 usage = ARCFOUR_DECRYPT_USAGE;
1773
1774 /*
1775 * The size at this point should be the size of
1776 * all the plaintext plus the optional plaintext length
1777 * needed for RCMD V2 mode. There should also be room
1778 * at the head of the mblk for the confounder and hash info.
1779 */
1780 inlen = (size_t)MBLKL(mp);
1781
1782 /*
1783 * The cipherlen does not include the HMAC at the
1784 * head of the buffer.
1785 */
1786 cipherlen = inlen - hash->hash_len;
1787
1788 ASSERT(MBLKSIZE(mp) >= cipherlen);
1789 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1790 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
1791 saltdata[9] = 0;
1792 saltdata[10] = usage & 0xff;
1793 saltdata[11] = (usage >> 8) & 0xff;
1794 saltdata[12] = (usage >> 16) & 0xff;
1795 saltdata[13] = (usage >> 24) & 0xff;
1796 saltlen = 14;
1797 } else {
1798 saltdata[0] = usage & 0xff;
1799 saltdata[1] = (usage >> 8) & 0xff;
1800 saltdata[2] = (usage >> 16) & 0xff;
1801 saltdata[3] = (usage >> 24) & 0xff;
1802 saltlen = 4;
1803 }
1804 /*
1805 * Use the salt value to create a key to be used
1806 * for subsequent HMAC operations.
1807 */
1808 result = do_hmac(md5_hmac_mech,
1809 tmi->dec_data.ckey,
1810 (char *)saltdata, saltlen,
1811 (char *)k1data, sizeof (k1data));
1812 if (result != CRYPTO_SUCCESS) {
1813 cmn_err(CE_WARN,
1814 "arcfour_hmac_md5_decrypt: do_hmac(k1)"
1815 "failed - error %0x", result);
1816 goto cleanup;
1817 }
1818 bcopy(k1data, k2data, sizeof (k1data));
1819
1820 /*
1821 * For the neutered MS RC4 encryption type,
1822 * set the trailing 9 bytes to 0xab per the
1823 * RC4-HMAC spec.
1824 */
1825 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1826 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
1827 }
1828
1829 mech.cm_type = tmi->dec_data.mech_type;
1830 mech.cm_param = NULL;
1831 mech.cm_param_len = 0;
1832
1833 /*
1834 * If we have not yet initialized the decryption key,
1835 * context, and template, do it now.
1836 */
1837 if (tmi->dec_data.ctx == NULL ||
1838 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
1839 k1.ck_format = CRYPTO_KEY_RAW;
1840 k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8;
1841 k1.ck_data = k1data;
1842
1843 tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW;
1844 tmi->dec_data.d_encr_key.ck_length = k1.ck_length;
1845 if (tmi->dec_data.d_encr_key.ck_data == NULL)
1846 tmi->dec_data.d_encr_key.ck_data = kmem_zalloc(
1847 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
1848
1849 /*
1850 * HMAC operation creates the encryption
1851 * key to be used for the decrypt operations.
1852 */
1853 result = do_hmac(md5_hmac_mech, &k1,
1854 (char *)mp->b_rptr, hash->hash_len,
1855 (char *)tmi->dec_data.d_encr_key.ck_data,
1856 CRYPT_ARCFOUR_KEYBYTES);
1857
1858
1859 if (result != CRYPTO_SUCCESS) {
1860 cmn_err(CE_WARN,
1861 "arcfour_hmac_md5_decrypt: do_hmac(k3)"
1862 "failed - error %0x", result);
1863 goto cleanup;
1864 }
1865 }
1866
1867 tmi->dec_data.enc_tmpl = NULL;
1868
1869 if (tmi->dec_data.ctx == NULL &&
1870 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
1871 /*
1872 * Only create a template if we are doing
1873 * chaining from block to block.
1874 */
1875 result = crypto_create_ctx_template(&mech,
1876 &tmi->dec_data.d_encr_key,
1877 &tmi->dec_data.enc_tmpl,
1878 KM_SLEEP);
1879 if (result == CRYPTO_NOT_SUPPORTED) {
1880 tmi->dec_data.enc_tmpl = NULL;
1881 } else if (result != CRYPTO_SUCCESS) {
1882 cmn_err(CE_WARN,
1883 "arcfour_hmac_md5_decrypt: "
1884 "failed to create dec template "
1885 "for RC4 encrypt: %0x", result);
1886 goto cleanup;
1887 }
1888
1889 result = crypto_decrypt_init(&mech,
1890 &tmi->dec_data.d_encr_key,
1891 tmi->dec_data.enc_tmpl,
1892 &tmi->dec_data.ctx, NULL);
1893
1894 if (result != CRYPTO_SUCCESS) {
1895 cmn_err(CE_WARN, "crypto_decrypt_init failed:"
1896 " %0x", result);
1897 goto cleanup;
1898 }
1899 }
1900
1901 /* adjust the rptr so we don't decrypt the original hmac field */
1902
1903 v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
1904 v1.iov_len = cipherlen;
1905
1906 indata.cd_format = CRYPTO_DATA_RAW;
1907 indata.cd_offset = 0;
1908 indata.cd_length = cipherlen;
1909 indata.cd_raw = v1;
1910
1911 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
1912 result = crypto_decrypt_update(tmi->dec_data.ctx,
1913 &indata, NULL, NULL);
1914 else
1915 result = crypto_decrypt(&mech, &indata,
1916 &tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1917
1918 if (result != CRYPTO_SUCCESS) {
1919 cmn_err(CE_WARN, "crypto_decrypt_update failed:"
1920 " %0x", result);
1921 goto cleanup;
1922 }
1923
1924 k2.ck_format = CRYPTO_KEY_RAW;
1925 k2.ck_length = sizeof (k2data) * 8;
1926 k2.ck_data = k2data;
1927
1928 result = do_hmac(md5_hmac_mech,
1929 &k2,
1930 (char *)mp->b_rptr + hash->hash_len, cipherlen,
1931 (char *)cksum, hash->hash_len);
1932
1933 if (result != CRYPTO_SUCCESS) {
1934 cmn_err(CE_WARN,
1935 "arcfour_hmac_md5_decrypt: do_hmac(k2)"
1936 "failed - error %0x", result);
1937 goto cleanup;
1938 }
1939
1940 if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) {
1941 cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed");
1942 result = -1;
1943 goto cleanup;
1944 }
1945
1946 /*
1947 * adjust the start of the mblk to skip over the
1948 * hash and confounder.
1949 */
1950 mp->b_rptr += hash->hash_len + hash->confound_len;
1951
1952 cleanup:
1953 bzero(k1data, sizeof (k1data));
1954 bzero(k2data, sizeof (k2data));
1955 bzero(cksum, sizeof (cksum));
1956 bzero(saltdata, sizeof (saltdata));
1957 if (result != CRYPTO_SUCCESS) {
1958 mp->b_datap->db_type = M_ERROR;
1959 mp->b_rptr = mp->b_datap->db_base;
1960 *mp->b_rptr = EIO;
1961 mp->b_wptr = mp->b_rptr + sizeof (char);
1962 freemsg(mp->b_cont);
1963 mp->b_cont = NULL;
1964 qreply(WR(q), mp);
1965 return (NULL);
1966 }
1967 return (mp);
1968 }
1969
1970 /*
1971 * ARCFOUR-HMAC-MD5 encrypt
1972 *
1973 * format of ciphertext when using ARCFOUR-HMAC-MD5
1974 * +-----------+------------+------------+
1975 * | hmac | confounder | msg-data |
1976 * +-----------+------------+------------+
1977 *
1978 */
1979 static mblk_t *
1980 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1981 hash_info_t *hash)
1982 {
1983 int result;
1984 size_t cipherlen;
1985 size_t inlen;
1986 size_t saltlen;
1987 crypto_key_t k1, k2;
1988 crypto_data_t indata;
1989 iovec_t v1;
1990 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1991 0xab, 0xab, 0xab, 0xab };
1992 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1993 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1994 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1995 crypto_mechanism_t mech;
1996 int usage;
1997
1998 bzero(&indata, sizeof (indata));
1999
2000 /* The usage constant is 1026 for all "old" rcmd mode operations */
2001 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
2002 usage = RCMDV1_USAGE;
2003 else
2004 usage = ARCFOUR_ENCRYPT_USAGE;
2005
2006 mech.cm_type = tmi->enc_data.mech_type;
2007 mech.cm_param = NULL;
2008 mech.cm_param_len = 0;
2009
2010 /*
2011 * The size at this point should be the size of
2012 * all the plaintext plus the optional plaintext length
2013 * needed for RCMD V2 mode. There should also be room
2014 * at the head of the mblk for the confounder and hash info.
2015 */
2016 inlen = (size_t)MBLKL(mp);
2017
2018 cipherlen = encrypt_size(&tmi->enc_data, inlen);
2019
2020 ASSERT(MBLKSIZE(mp) >= cipherlen);
2021
2022 /*
2023 * Shift the rptr back enough to insert
2024 * the confounder and hash.
2025 */
2026 mp->b_rptr -= (hash->confound_len + hash->hash_len);
2027
2028 /* zero out the hash area */
2029 bzero(mp->b_rptr, (size_t)hash->hash_len);
2030
2031 if (cipherlen > inlen) {
2032 bzero(mp->b_wptr, MBLKTAIL(mp));
2033 }
2034
2035 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2036 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
2037 saltdata[9] = 0;
2038 saltdata[10] = usage & 0xff;
2039 saltdata[11] = (usage >> 8) & 0xff;
2040 saltdata[12] = (usage >> 16) & 0xff;
2041 saltdata[13] = (usage >> 24) & 0xff;
2042 saltlen = 14;
2043 } else {
2044 saltdata[0] = usage & 0xff;
2045 saltdata[1] = (usage >> 8) & 0xff;
2046 saltdata[2] = (usage >> 16) & 0xff;
2047 saltdata[3] = (usage >> 24) & 0xff;
2048 saltlen = 4;
2049 }
2050 /*
2051 * Use the salt value to create a key to be used
2052 * for subsequent HMAC operations.
2053 */
2054 result = do_hmac(md5_hmac_mech,
2055 tmi->enc_data.ckey,
2056 (char *)saltdata, saltlen,
2057 (char *)k1data, sizeof (k1data));
2058 if (result != CRYPTO_SUCCESS) {
2059 cmn_err(CE_WARN,
2060 "arcfour_hmac_md5_encrypt: do_hmac(k1)"
2061 "failed - error %0x", result);
2062 goto cleanup;
2063 }
2064
2065 bcopy(k1data, k2data, sizeof (k2data));
2066
2067 /*
2068 * For the neutered MS RC4 encryption type,
2069 * set the trailing 9 bytes to 0xab per the
2070 * RC4-HMAC spec.
2071 */
2072 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2073 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
2074 }
2075
2076 /*
2077 * Get the confounder bytes.
2078 */
2079 (void) random_get_pseudo_bytes(
2080 (uint8_t *)(mp->b_rptr + hash->hash_len),
2081 (size_t)hash->confound_len);
2082
2083 k2.ck_data = k2data;
2084 k2.ck_format = CRYPTO_KEY_RAW;
2085 k2.ck_length = sizeof (k2data) * 8;
2086
2087 /*
2088 * This writes the HMAC to the hash area in the
2089 * mblk. The key used is the one just created by
2090 * the previous HMAC operation.
2091 * The data being processed is the confounder bytes
2092 * PLUS the input plaintext.
2093 */
2094 result = do_hmac(md5_hmac_mech, &k2,
2095 (char *)mp->b_rptr + hash->hash_len,
2096 hash->confound_len + inlen,
2097 (char *)mp->b_rptr, hash->hash_len);
2098 if (result != CRYPTO_SUCCESS) {
2099 cmn_err(CE_WARN,
2100 "arcfour_hmac_md5_encrypt: do_hmac(k2)"
2101 "failed - error %0x", result);
2102 goto cleanup;
2103 }
2104 /*
2105 * Because of the odd way that MIT uses RC4 keys
2106 * on the rlogin stream, we only need to create
2107 * this key once.
2108 * However, if using "old" rcmd mode, we need to do
2109 * it every time.
2110 */
2111 if (tmi->enc_data.ctx == NULL ||
2112 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
2113 crypto_key_t *key = &tmi->enc_data.d_encr_key;
2114
2115 k1.ck_data = k1data;
2116 k1.ck_format = CRYPTO_KEY_RAW;
2117 k1.ck_length = sizeof (k1data) * 8;
2118
2119 key->ck_format = CRYPTO_KEY_RAW;
2120 key->ck_length = k1.ck_length;
2121 if (key->ck_data == NULL)
2122 key->ck_data = kmem_zalloc(
2123 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
2124
2125 /*
2126 * The final HMAC operation creates the encryption
2127 * key to be used for the encrypt operation.
2128 */
2129 result = do_hmac(md5_hmac_mech, &k1,
2130 (char *)mp->b_rptr, hash->hash_len,
2131 (char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES);
2132
2133 if (result != CRYPTO_SUCCESS) {
2134 cmn_err(CE_WARN,
2135 "arcfour_hmac_md5_encrypt: do_hmac(k3)"
2136 "failed - error %0x", result);
2137 goto cleanup;
2138 }
2139 }
2140
2141 /*
2142 * If the context has not been initialized, do it now.
2143 */
2144 if (tmi->enc_data.ctx == NULL &&
2145 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
2146 /*
2147 * Only create a template if we are doing
2148 * chaining from block to block.
2149 */
2150 result = crypto_create_ctx_template(&mech,
2151 &tmi->enc_data.d_encr_key,
2152 &tmi->enc_data.enc_tmpl,
2153 KM_SLEEP);
2154 if (result == CRYPTO_NOT_SUPPORTED) {
2155 tmi->enc_data.enc_tmpl = NULL;
2156 } else if (result != CRYPTO_SUCCESS) {
2157 cmn_err(CE_WARN, "failed to create enc template "
2158 "for RC4 encrypt: %0x", result);
2159 goto cleanup;
2160 }
2161
2162 result = crypto_encrypt_init(&mech,
2163 &tmi->enc_data.d_encr_key,
2164 tmi->enc_data.enc_tmpl,
2165 &tmi->enc_data.ctx, NULL);
2166 if (result != CRYPTO_SUCCESS) {
2167 cmn_err(CE_WARN, "crypto_encrypt_init failed:"
2168 " %0x", result);
2169 goto cleanup;
2170 }
2171 }
2172 v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
2173 v1.iov_len = hash->confound_len + inlen;
2174
2175 indata.cd_format = CRYPTO_DATA_RAW;
2176 indata.cd_offset = 0;
2177 indata.cd_length = hash->confound_len + inlen;
2178 indata.cd_raw = v1;
2179
2180 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2181 result = crypto_encrypt_update(tmi->enc_data.ctx,
2182 &indata, NULL, NULL);
2183 else
2184 result = crypto_encrypt(&mech, &indata,
2185 &tmi->enc_data.d_encr_key, NULL,
2186 NULL, NULL);
2187
2188 if (result != CRYPTO_SUCCESS) {
2189 cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x",
2190 result);
2191 }
2192
2193 cleanup:
2194 bzero(k1data, sizeof (k1data));
2195 bzero(k2data, sizeof (k2data));
2196 bzero(saltdata, sizeof (saltdata));
2197 if (result != CRYPTO_SUCCESS) {
2198 mp->b_datap->db_type = M_ERROR;
2199 mp->b_rptr = mp->b_datap->db_base;
2200 *mp->b_rptr = EIO;
2201 mp->b_wptr = mp->b_rptr + sizeof (char);
2202 freemsg(mp->b_cont);
2203 mp->b_cont = NULL;
2204 qreply(WR(q), mp);
2205 return (NULL);
2206 }
2207 return (mp);
2208 }
2209
2210 /*
2211 * DES-CBC-[HASH] encrypt
2212 *
2213 * Needed to support userland apps that must support Kerberos V5
2214 * encryption DES-CBC encryption modes.
2215 *
2216 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2217 *
2218 * format of ciphertext for DES-CBC functions, per RFC1510 is:
2219 * +-----------+----------+-------------+-----+
2220 * |confounder | cksum | msg-data | pad |
2221 * +-----------+----------+-------------+-----+
2222 *
2223 * format of ciphertext when using DES3-SHA1-HMAC
2224 * +-----------+----------+-------------+-----+
2225 * |confounder | msg-data | hmac | pad |
2226 * +-----------+----------+-------------+-----+
2227 *
2228 * The confounder is 8 bytes of random data.
2229 * The cksum depends on the hash being used.
2230 * 4 bytes for CRC32
2231 * 16 bytes for MD5
2232 * 20 bytes for SHA1
2233 * 0 bytes for RAW
2234 *
2235 */
2236 static mblk_t *
2237 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2238 {
2239 int result;
2240 size_t cipherlen;
2241 size_t inlen;
2242 size_t plainlen;
2243
2244 /*
2245 * The size at this point should be the size of
2246 * all the plaintext plus the optional plaintext length
2247 * needed for RCMD V2 mode. There should also be room
2248 * at the head of the mblk for the confounder and hash info.
2249 */
2250 inlen = (size_t)MBLKL(mp);
2251
2252 /*
2253 * The output size will be a multiple of 8 because this algorithm
2254 * only works on 8 byte chunks.
2255 */
2256 cipherlen = encrypt_size(&tmi->enc_data, inlen);
2257
2258 ASSERT(MBLKSIZE(mp) >= cipherlen);
2259
2260 if (cipherlen > inlen) {
2261 bzero(mp->b_wptr, MBLKTAIL(mp));
2262 }
2263
2264 /*
2265 * Shift the rptr back enough to insert
2266 * the confounder and hash.
2267 */
2268 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2269 mp->b_rptr -= hash->confound_len;
2270 } else {
2271 mp->b_rptr -= (hash->confound_len + hash->hash_len);
2272
2273 /* zero out the hash area */
2274 bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len);
2275 }
2276
2277 /* get random confounder from our friend, the 'random' module */
2278 if (hash->confound_len > 0) {
2279 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
2280 (size_t)hash->confound_len);
2281 }
2282
2283 /*
2284 * For 3DES we calculate an HMAC later.
2285 */
2286 if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) {
2287 /* calculate chksum of confounder + input */
2288 if (hash->hash_len > 0 && hash->hashfunc != NULL) {
2289 uchar_t cksum[MAX_CKSUM_LEN];
2290
2291 result = hash->hashfunc(cksum, mp->b_rptr,
2292 cipherlen);
2293 if (result != CRYPTO_SUCCESS) {
2294 goto failure;
2295 }
2296
2297 /* put hash in place right after the confounder */
2298 bcopy(cksum, (mp->b_rptr + hash->confound_len),
2299 (size_t)hash->hash_len);
2300 }
2301 }
2302 /*
2303 * In order to support the "old" Kerberos RCMD protocol,
2304 * we must use the IVEC 3 different ways:
2305 * IVEC_REUSE = keep using the same IV each time, this is
2306 * ugly and insecure, but necessary for
2307 * backwards compatibility with existing MIT code.
2308 * IVEC_ONETIME = Use the ivec as initialized when the crypto
2309 * was setup (see setup_crypto routine).
2310 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2311 */
2312 if (tmi->enc_data.ivec_usage == IVEC_NEVER) {
2313 bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
2314 } else if (tmi->enc_data.ivec_usage == IVEC_REUSE) {
2315 bcopy(tmi->enc_data.ivec, tmi->enc_data.block,
2316 tmi->enc_data.blocklen);
2317 }
2318
2319 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2320 /*
2321 * The input length already included the hash size,
2322 * don't include this in the plaintext length
2323 * calculations.
2324 */
2325 plainlen = cipherlen - hash->hash_len;
2326
2327 mp->b_wptr = mp->b_rptr + plainlen;
2328
2329 result = kef_encr_hmac(&tmi->enc_data,
2330 (void *)mp, (size_t)plainlen,
2331 (char *)(mp->b_rptr + plainlen),
2332 hash->hash_len);
2333 } else {
2334 ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp));
2335 mp->b_wptr = mp->b_rptr + cipherlen;
2336 result = kef_crypt(&tmi->enc_data, (void *)mp,
2337 CRYPTO_DATA_MBLK, (size_t)cipherlen,
2338 CRYPT_ENCRYPT);
2339 }
2340 failure:
2341 if (result != CRYPTO_SUCCESS) {
2342 #ifdef DEBUG
2343 cmn_err(CE_WARN,
2344 "des_cbc_encrypt: kef_crypt encrypt "
2345 "failed (len: %ld) - error %0x",
2346 cipherlen, result);
2347 #endif
2348 mp->b_datap->db_type = M_ERROR;
2349 mp->b_rptr = mp->b_datap->db_base;
2350 *mp->b_rptr = EIO;
2351 mp->b_wptr = mp->b_rptr + sizeof (char);
2352 freemsg(mp->b_cont);
2353 mp->b_cont = NULL;
2354 qreply(WR(q), mp);
2355 return (NULL);
2356 } else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) {
2357 /*
2358 * Because we are using KEF, we must manually
2359 * update our IV.
2360 */
2361 bcopy(mp->b_wptr - tmi->enc_data.ivlen,
2362 tmi->enc_data.block, tmi->enc_data.ivlen);
2363 }
2364 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2365 mp->b_wptr = mp->b_rptr + cipherlen;
2366 }
2367
2368 return (mp);
2369 }
2370
2371 /*
2372 * des_cbc_decrypt
2373 *
2374 *
2375 * Needed to support userland apps that must support Kerberos V5
2376 * encryption DES-CBC decryption modes.
2377 *
2378 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2379 *
2380 * format of ciphertext for DES-CBC functions, per RFC1510 is:
2381 * +-----------+----------+-------------+-----+
2382 * |confounder | cksum | msg-data | pad |
2383 * +-----------+----------+-------------+-----+
2384 *
2385 * format of ciphertext when using DES3-SHA1-HMAC
2386 * +-----------+----------+-------------+-----+
2387 * |confounder | msg-data | hmac | pad |
2388 * +-----------+----------+-------------+-----+
2389 *
2390 * The confounder is 8 bytes of random data.
2391 * The cksum depends on the hash being used.
2392 * 4 bytes for CRC32
2393 * 16 bytes for MD5
2394 * 20 bytes for SHA1
2395 * 0 bytes for RAW
2396 *
2397 */
2398 static mblk_t *
2399 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2400 {
2401 uint_t inlen, datalen;
2402 int result = 0;
2403 uchar_t *optr = NULL;
2404 uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN];
2405 uchar_t nextiv[DEFAULT_DES_BLOCKLEN];
2406
2407 /* Compute adjusted size */
2408 inlen = MBLKL(mp);
2409
2410 optr = mp->b_rptr;
2411
2412 /*
2413 * In order to support the "old" Kerberos RCMD protocol,
2414 * we must use the IVEC 3 different ways:
2415 * IVEC_REUSE = keep using the same IV each time, this is
2416 * ugly and insecure, but necessary for
2417 * backwards compatibility with existing MIT code.
2418 * IVEC_ONETIME = Use the ivec as initialized when the crypto
2419 * was setup (see setup_crypto routine).
2420 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2421 */
2422 if (tmi->dec_data.ivec_usage == IVEC_NEVER)
2423 bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
2424 else if (tmi->dec_data.ivec_usage == IVEC_REUSE)
2425 bcopy(tmi->dec_data.ivec, tmi->dec_data.block,
2426 tmi->dec_data.blocklen);
2427
2428 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2429 /*
2430 * Do not decrypt the HMAC at the end
2431 */
2432 int decrypt_len = inlen - hash->hash_len;
2433
2434 /*
2435 * Move the wptr so the mblk appears to end
2436 * BEFORE the HMAC section.
2437 */
2438 mp->b_wptr = mp->b_rptr + decrypt_len;
2439
2440 /*
2441 * Because we are using KEF, we must manually update our
2442 * IV.
2443 */
2444 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2445 bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen,
2446 nextiv, tmi->dec_data.ivlen);
2447 }
2448
2449 result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len,
2450 (char *)newcksum, hash->hash_len);
2451 } else {
2452 /*
2453 * Because we are using KEF, we must manually update our
2454 * IV.
2455 */
2456 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2457 bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv,
2458 tmi->dec_data.ivlen);
2459 }
2460 result = kef_crypt(&tmi->dec_data, (void *)mp,
2461 CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT);
2462 }
2463 if (result != CRYPTO_SUCCESS) {
2464 #ifdef DEBUG
2465 cmn_err(CE_WARN,
2466 "des_cbc_decrypt: kef_crypt decrypt "
2467 "failed - error %0x", result);
2468 #endif
2469 mp->b_datap->db_type = M_ERROR;
2470 mp->b_rptr = mp->b_datap->db_base;
2471 *mp->b_rptr = EIO;
2472 mp->b_wptr = mp->b_rptr + sizeof (char);
2473 freemsg(mp->b_cont);
2474 mp->b_cont = NULL;
2475 qreply(WR(q), mp);
2476 return (NULL);
2477 }
2478
2479 /*
2480 * Manually update the IV, KEF does not track this for us.
2481 */
2482 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2483 bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen);
2484 }
2485
2486 /* Verify the checksum(if necessary) */
2487 if (hash->hash_len > 0) {
2488 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2489 bcopy(mp->b_rptr + inlen - hash->hash_len, cksum,
2490 hash->hash_len);
2491 } else {
2492 bcopy(optr + hash->confound_len, cksum, hash->hash_len);
2493
2494 /* zero the cksum in the buffer */
2495 ASSERT(optr + hash->confound_len + hash->hash_len <=
2496 DB_LIM(mp));
2497 bzero(optr + hash->confound_len, hash->hash_len);
2498
2499 /* calculate MD5 chksum of confounder + input */
2500 if (hash->hashfunc) {
2501 (void) hash->hashfunc(newcksum, optr, inlen);
2502 }
2503 }
2504
2505 if (bcmp(cksum, newcksum, hash->hash_len)) {
2506 #ifdef DEBUG
2507 cmn_err(CE_WARN, "des_cbc_decrypt: checksum "
2508 "verification failed");
2509 #endif
2510 mp->b_datap->db_type = M_ERROR;
2511 mp->b_rptr = mp->b_datap->db_base;
2512 *mp->b_rptr = EIO;
2513 mp->b_wptr = mp->b_rptr + sizeof (char);
2514 freemsg(mp->b_cont);
2515 mp->b_cont = NULL;
2516 qreply(WR(q), mp);
2517 return (NULL);
2518 }
2519 }
2520
2521 datalen = inlen - hash->confound_len - hash->hash_len;
2522
2523 /* Move just the decrypted input into place if necessary */
2524 if (hash->confound_len > 0 || hash->hash_len > 0) {
2525 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1)
2526 mp->b_rptr += hash->confound_len;
2527 else
2528 mp->b_rptr += hash->confound_len + hash->hash_len;
2529 }
2530
2531 ASSERT(mp->b_rptr + datalen <= DB_LIM(mp));
2532 mp->b_wptr = mp->b_rptr + datalen;
2533
2534 return (mp);
2535 }
2536
2537 static mblk_t *
2538 do_decrypt(queue_t *q, mblk_t *mp)
2539 {
2540 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2541 mblk_t *outmp;
2542
2543 switch (tmi->dec_data.method) {
2544 case CRYPT_METHOD_DES_CFB:
2545 outmp = des_cfb_decrypt(q, tmi, mp);
2546 break;
2547 case CRYPT_METHOD_NONE:
2548 outmp = mp;
2549 break;
2550 case CRYPT_METHOD_DES_CBC_NULL:
2551 outmp = des_cbc_decrypt(q, tmi, mp, &null_hash);
2552 break;
2553 case CRYPT_METHOD_DES_CBC_MD5:
2554 outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash);
2555 break;
2556 case CRYPT_METHOD_DES_CBC_CRC:
2557 outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash);
2558 break;
2559 case CRYPT_METHOD_DES3_CBC_SHA1:
2560 outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash);
2561 break;
2562 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2563 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2564 outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash);
2565 break;
2566 case CRYPT_METHOD_AES128:
2567 case CRYPT_METHOD_AES256:
2568 outmp = aes_decrypt(q, tmi, mp, &sha1_hash);
2569 break;
2570 }
2571 return (outmp);
2572 }
2573
2574 /*
2575 * do_encrypt
2576 *
2577 * Generic encryption routine for a single message block.
2578 * The input mblk may be replaced by some encrypt routines
2579 * because they add extra data in some cases that may exceed
2580 * the input mblk_t size limit.
2581 */
2582 static mblk_t *
2583 do_encrypt(queue_t *q, mblk_t *mp)
2584 {
2585 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2586 mblk_t *outmp;
2587
2588 switch (tmi->enc_data.method) {
2589 case CRYPT_METHOD_DES_CFB:
2590 outmp = des_cfb_encrypt(q, tmi, mp);
2591 break;
2592 case CRYPT_METHOD_DES_CBC_NULL:
2593 outmp = des_cbc_encrypt(q, tmi, mp, &null_hash);
2594 break;
2595 case CRYPT_METHOD_DES_CBC_MD5:
2596 outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash);
2597 break;
2598 case CRYPT_METHOD_DES_CBC_CRC:
2599 outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash);
2600 break;
2601 case CRYPT_METHOD_DES3_CBC_SHA1:
2602 outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash);
2603 break;
2604 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2605 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2606 outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash);
2607 break;
2608 case CRYPT_METHOD_AES128:
2609 case CRYPT_METHOD_AES256:
2610 outmp = aes_encrypt(q, tmi, mp, &sha1_hash);
2611 break;
2612 case CRYPT_METHOD_NONE:
2613 outmp = mp;
2614 break;
2615 }
2616 return (outmp);
2617 }
2618
2619 /*
2620 * setup_crypto
2621 *
2622 * This takes the data from the CRYPTIOCSETUP ioctl
2623 * and sets up a cipher_data_t structure for either
2624 * encryption or decryption. This is where the
2625 * key and initialization vector data get stored
2626 * prior to beginning any crypto functions.
2627 *
2628 * Special note:
2629 * Some applications(e.g. telnetd) have ability to switch
2630 * crypto on/off periodically. Thus, the application may call
2631 * the CRYPTIOCSETUP ioctl many times for the same stream.
2632 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
2633 * assume that the key, block, and saveblock fields that are already
2634 * set from a previous CRIOCSETUP call are still valid. This helps avoid
2635 * a rekeying error that could occur if we overwrite these fields
2636 * with each CRYPTIOCSETUP call.
2637 * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
2638 * without resetting the original crypto parameters.
2639 *
2640 */
2641 static int
2642 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt)
2643 {
2644 uint_t newblocklen;
2645 uint32_t enc_usage = 0, dec_usage = 0;
2646 int rv;
2647
2648 /*
2649 * Initial sanity checks
2650 */
2651 if (!CR_METHOD_OK(ci->crypto_method)) {
2652 cmn_err(CE_WARN, "Illegal crypto method (%d)",
2653 ci->crypto_method);
2654 return (EINVAL);
2655 }
2656 if (!CR_OPTIONS_OK(ci->option_mask)) {
2657 cmn_err(CE_WARN, "Illegal crypto options (%d)",
2658 ci->option_mask);
2659 return (EINVAL);
2660 }
2661 if (!CR_IVUSAGE_OK(ci->ivec_usage)) {
2662 cmn_err(CE_WARN, "Illegal ivec usage value (%d)",
2663 ci->ivec_usage);
2664 return (EINVAL);
2665 }
2666
2667 cd->method = ci->crypto_method;
2668 cd->bytes = 0;
2669
2670 if (ci->keylen > 0) {
2671 if (cd->key != NULL) {
2672 kmem_free(cd->key, cd->keylen);
2673 cd->key = NULL;
2674 cd->keylen = 0;
2675 }
2676 /*
2677 * cd->key holds the copy of the raw key bytes passed in
2678 * from the userland app.
2679 */
2680 cd->key = kmem_alloc((size_t)ci->keylen, KM_SLEEP);
2681
2682 cd->keylen = ci->keylen;
2683 bcopy(ci->key, cd->key, (size_t)ci->keylen);
2684 }
2685
2686 /*
2687 * Configure the block size based on the type of cipher.
2688 */
2689 switch (cd->method) {
2690 case CRYPT_METHOD_NONE:
2691 newblocklen = 0;
2692 break;
2693 case CRYPT_METHOD_DES_CFB:
2694 newblocklen = DEFAULT_DES_BLOCKLEN;
2695 cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB);
2696 break;
2697 case CRYPT_METHOD_DES_CBC_NULL:
2698 case CRYPT_METHOD_DES_CBC_MD5:
2699 case CRYPT_METHOD_DES_CBC_CRC:
2700 newblocklen = DEFAULT_DES_BLOCKLEN;
2701 cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC);
2702 break;
2703 case CRYPT_METHOD_DES3_CBC_SHA1:
2704 newblocklen = DEFAULT_DES_BLOCKLEN;
2705 cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC);
2706 /* 3DES always uses the old usage constant */
2707 enc_usage = RCMDV1_USAGE;
2708 dec_usage = RCMDV1_USAGE;
2709 break;
2710 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2711 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2712 newblocklen = 0;
2713 cd->mech_type = crypto_mech2id(SUN_CKM_RC4);
2714 break;
2715 case CRYPT_METHOD_AES128:
2716 case CRYPT_METHOD_AES256:
2717 newblocklen = DEFAULT_AES_BLOCKLEN;
2718 cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB);
2719 enc_usage = AES_ENCRYPT_USAGE;
2720 dec_usage = AES_DECRYPT_USAGE;
2721 break;
2722 }
2723 if (cd->mech_type == CRYPTO_MECH_INVALID) {
2724 return (CRYPTO_FAILED);
2725 }
2726
2727 /*
2728 * If RC4, initialize the master crypto key used by
2729 * the RC4 algorithm to derive the final encrypt and decrypt keys.
2730 */
2731 if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) {
2732 /*
2733 * cd->ckey is a kernel crypto key structure used as the
2734 * master key in the RC4-HMAC crypto operations.
2735 */
2736 if (cd->ckey == NULL) {
2737 cd->ckey = (crypto_key_t *)kmem_zalloc(
2738 sizeof (crypto_key_t), KM_SLEEP);
2739 }
2740
2741 cd->ckey->ck_format = CRYPTO_KEY_RAW;
2742 cd->ckey->ck_data = cd->key;
2743
2744 /* key length for EF is measured in bits */
2745 cd->ckey->ck_length = cd->keylen * 8;
2746 }
2747
2748 /*
2749 * cd->block and cd->saveblock are used as temporary storage for
2750 * data that must be carried over between encrypt/decrypt operations
2751 * in some of the "feedback" modes.
2752 */
2753 if (newblocklen != cd->blocklen) {
2754 if (cd->block != NULL) {
2755 kmem_free(cd->block, cd->blocklen);
2756 cd->block = NULL;
2757 }
2758
2759 if (cd->saveblock != NULL) {
2760 kmem_free(cd->saveblock, cd->blocklen);
2761 cd->saveblock = NULL;
2762 }
2763
2764 cd->blocklen = newblocklen;
2765 if (cd->blocklen) {
2766 cd->block = kmem_zalloc((size_t)cd->blocklen,
2767 KM_SLEEP);
2768 }
2769
2770 if (cd->method == CRYPT_METHOD_DES_CFB)
2771 cd->saveblock = kmem_zalloc(cd->blocklen,
2772 KM_SLEEP);
2773 else
2774 cd->saveblock = NULL;
2775 }
2776
2777 if (ci->iveclen != cd->ivlen) {
2778 if (cd->ivec != NULL) {
2779 kmem_free(cd->ivec, cd->ivlen);
2780 cd->ivec = NULL;
2781 }
2782 if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) {
2783 cd->ivec = kmem_zalloc((size_t)ci->iveclen,
2784 KM_SLEEP);
2785 cd->ivlen = ci->iveclen;
2786 } else {
2787 cd->ivlen = 0;
2788 cd->ivec = NULL;
2789 }
2790 }
2791 cd->option_mask = ci->option_mask;
2792
2793 /*
2794 * Old protocol requires a static 'usage' value for
2795 * deriving keys. Yuk.
2796 */
2797 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) {
2798 enc_usage = dec_usage = RCMDV1_USAGE;
2799 }
2800
2801 if (cd->ivlen > cd->blocklen) {
2802 cmn_err(CE_WARN, "setup_crypto: IV longer than block size");
2803 return (EINVAL);
2804 }
2805
2806 /*
2807 * If we are using an IVEC "correctly" (i.e. set it once)
2808 * copy it here.
2809 */
2810 if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL)
2811 bcopy(ci->ivec, cd->block, (size_t)cd->ivlen);
2812
2813 cd->ivec_usage = ci->ivec_usage;
2814 if (cd->ivec != NULL) {
2815 /* Save the original IVEC in case we need it later */
2816 bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen);
2817 }
2818 /*
2819 * Special handling for 3DES-SHA1-HMAC and AES crypto:
2820 * generate derived keys and context templates
2821 * for better performance.
2822 */
2823 if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 ||
2824 IS_AES_METHOD(cd->method)) {
2825 crypto_mechanism_t enc_mech;
2826 crypto_mechanism_t hmac_mech;
2827
2828 if (cd->d_encr_key.ck_data != NULL) {
2829 bzero(cd->d_encr_key.ck_data, cd->keylen);
2830 kmem_free(cd->d_encr_key.ck_data, cd->keylen);
2831 }
2832
2833 if (cd->d_hmac_key.ck_data != NULL) {
2834 bzero(cd->d_hmac_key.ck_data, cd->keylen);
2835 kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
2836 }
2837
2838 if (cd->enc_tmpl != NULL)
2839 (void) crypto_destroy_ctx_template(cd->enc_tmpl);
2840
2841 if (cd->hmac_tmpl != NULL)
2842 (void) crypto_destroy_ctx_template(cd->hmac_tmpl);
2843
2844 enc_mech.cm_type = cd->mech_type;
2845 enc_mech.cm_param = cd->ivec;
2846 enc_mech.cm_param_len = cd->ivlen;
2847
2848 hmac_mech.cm_type = sha1_hmac_mech;
2849 hmac_mech.cm_param = NULL;
2850 hmac_mech.cm_param_len = 0;
2851
2852 /*
2853 * Create the derived keys.
2854 */
2855 rv = create_derived_keys(cd,
2856 (encrypt ? enc_usage : dec_usage),
2857 &cd->d_encr_key, &cd->d_hmac_key);
2858
2859 if (rv != CRYPTO_SUCCESS) {
2860 cmn_err(CE_WARN, "failed to create derived "
2861 "keys: %0x", rv);
2862 return (CRYPTO_FAILED);
2863 }
2864
2865 rv = crypto_create_ctx_template(&enc_mech,
2866 &cd->d_encr_key,
2867 &cd->enc_tmpl, KM_SLEEP);
2868 if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2869 cd->enc_tmpl = NULL;
2870 } else if (rv != CRYPTO_SUCCESS) {
2871 cmn_err(CE_WARN, "failed to create enc template "
2872 "for d_encr_key: %0x", rv);
2873 return (CRYPTO_FAILED);
2874 }
2875
2876 rv = crypto_create_ctx_template(&hmac_mech,
2877 &cd->d_hmac_key,
2878 &cd->hmac_tmpl, KM_SLEEP);
2879 if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2880 cd->hmac_tmpl = NULL;
2881 } else if (rv != CRYPTO_SUCCESS) {
2882 cmn_err(CE_WARN, "failed to create hmac template:"
2883 " %0x", rv);
2884 return (CRYPTO_FAILED);
2885 }
2886 } else if (IS_RC4_METHOD(cd->method)) {
2887 bzero(&cd->d_encr_key, sizeof (crypto_key_t));
2888 bzero(&cd->d_hmac_key, sizeof (crypto_key_t));
2889 cd->ctx = NULL;
2890 cd->enc_tmpl = NULL;
2891 cd->hmac_tmpl = NULL;
2892 }
2893
2894 /* Final sanity checks, make sure no fields are NULL */
2895 if (cd->method != CRYPT_METHOD_NONE) {
2896 if (cd->block == NULL && cd->blocklen > 0) {
2897 #ifdef DEBUG
2898 cmn_err(CE_WARN,
2899 "setup_crypto: IV block not allocated");
2900 #endif
2901 return (ENOMEM);
2902 }
2903 if (cd->key == NULL && cd->keylen > 0) {
2904 #ifdef DEBUG
2905 cmn_err(CE_WARN,
2906 "setup_crypto: key block not allocated");
2907 #endif
2908 return (ENOMEM);
2909 }
2910 if (cd->method == CRYPT_METHOD_DES_CFB &&
2911 cd->saveblock == NULL && cd->blocklen > 0) {
2912 #ifdef DEBUG
2913 cmn_err(CE_WARN,
2914 "setup_crypto: save block not allocated");
2915 #endif
2916 return (ENOMEM);
2917 }
2918 if (cd->ivec == NULL && cd->ivlen > 0) {
2919 #ifdef DEBUG
2920 cmn_err(CE_WARN,
2921 "setup_crypto: IV not allocated");
2922 #endif
2923 return (ENOMEM);
2924 }
2925 }
2926 return (0);
2927 }
2928
2929 /*
2930 * RCMDS require a 4 byte, clear text
2931 * length field before each message.
2932 * Add it now.
2933 */
2934 static mblk_t *
2935 mklenmp(mblk_t *bp, uint32_t len)
2936 {
2937 mblk_t *lenmp;
2938 uchar_t *ucp;
2939
2940 if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) {
2941 lenmp = allocb(4, BPRI_MED);
2942 if (lenmp != NULL) {
2943 lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp);
2944 linkb(lenmp, bp);
2945 bp = lenmp;
2946 }
2947 }
2948 ucp = bp->b_rptr;
2949 *--ucp = len;
2950 *--ucp = len >> 8;
2951 *--ucp = len >> 16;
2952 *--ucp = len >> 24;
2953
2954 bp->b_rptr = ucp;
2955
2956 return (bp);
2957 }
2958
2959 static mblk_t *
2960 encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen)
2961 {
2962 mblk_t *newmp;
2963 size_t headspace;
2964
2965 mblk_t *cbp;
2966 size_t cipherlen;
2967 size_t extra = 0;
2968 uint32_t ptlen = (uint32_t)plainlen;
2969 /*
2970 * If we are using the "NEW" RCMD mode,
2971 * add 4 bytes to the plaintext for the
2972 * plaintext length that gets prepended
2973 * before encrypting.
2974 */
2975 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2976 ptlen += 4;
2977
2978 cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen);
2979
2980 /*
2981 * if we must allocb, then make sure its enough
2982 * to hold the length field so we dont have to allocb
2983 * again down below in 'mklenmp'
2984 */
2985 if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) {
2986 extra = sizeof (uint32_t);
2987 }
2988
2989 /*
2990 * Calculate how much space is needed in front of
2991 * the data.
2992 */
2993 headspace = plaintext_offset(&tmi->enc_data);
2994
2995 /*
2996 * If the current block is too small, reallocate
2997 * one large enough to hold the hdr, tail, and
2998 * ciphertext.
2999 */
3000 if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) {
3001 int sz = P2ROUNDUP(cipherlen+extra, 8);
3002
3003 cbp = allocb_tmpl(sz, mp);
3004 if (cbp == NULL) {
3005 cmn_err(CE_WARN,
3006 "allocb (%d bytes) failed", sz);
3007 return (NULL);
3008 }
3009
3010 cbp->b_cont = mp->b_cont;
3011
3012 /*
3013 * headspace includes the length fields needed
3014 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
3015 */
3016 ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen+headspace, 8)
3017 <= DB_LIM(cbp));
3018
3019 cbp->b_rptr = DB_BASE(cbp) + headspace;
3020 bcopy(mp->b_rptr, cbp->b_rptr, plainlen);
3021 cbp->b_wptr = cbp->b_rptr + plainlen;
3022
3023 freeb(mp);
3024 } else {
3025 size_t extra = 0;
3026 cbp = mp;
3027
3028 /*
3029 * Some ciphers add HMAC after the final block
3030 * of the ciphertext, not at the beginning like the
3031 * 1-DES ciphers.
3032 */
3033 if (tmi->enc_data.method ==
3034 CRYPT_METHOD_DES3_CBC_SHA1 ||
3035 IS_AES_METHOD(tmi->enc_data.method)) {
3036 extra = sha1_hash.hash_len;
3037 }
3038
3039 /*
3040 * Make sure the rptr is positioned correctly so that
3041 * routines later do not have to shift this data around
3042 */
3043 if ((cbp->b_rptr + P2ROUNDUP(cipherlen + extra, 8) >
3044 DB_LIM(cbp)) ||
3045 (cbp->b_rptr - headspace < DB_BASE(cbp))) {
3046 ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace,
3047 plainlen);
3048 cbp->b_rptr = DB_BASE(cbp) + headspace;
3049 cbp->b_wptr = cbp->b_rptr + plainlen;
3050 }
3051 }
3052
3053 ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp));
3054 ASSERT(cbp->b_wptr <= DB_LIM(cbp));
3055
3056 /*
3057 * If using RCMD_MODE_V2 (new rcmd mode), prepend
3058 * the plaintext length before the actual plaintext.
3059 */
3060 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) {
3061 cbp->b_rptr -= RCMD_LEN_SZ;
3062
3063 /* put plaintext length at head of buffer */
3064 *(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff);
3065 *(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff);
3066 *(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff);
3067 *(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff);
3068 }
3069
3070 newmp = do_encrypt(q, cbp);
3071
3072 if (newmp != NULL &&
3073 (tmi->enc_data.option_mask &
3074 (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) {
3075 mblk_t *lp;
3076 /*
3077 * Add length field, required when this is
3078 * used to encrypt "r*" commands(rlogin, rsh)
3079 * with Kerberos.
3080 */
3081 lp = mklenmp(newmp, plainlen);
3082
3083 if (lp == NULL) {
3084 freeb(newmp);
3085 return (NULL);
3086 } else {
3087 newmp = lp;
3088 }
3089 }
3090 return (newmp);
3091 }
3092
3093 /*
3094 * encrypt_msgb
3095 *
3096 * encrypt a single message. This routine adds the
3097 * RCMD overhead bytes when necessary.
3098 */
3099 static mblk_t *
3100 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
3101 {
3102 size_t plainlen, outlen;
3103 mblk_t *newmp = NULL;
3104
3105 /* If not encrypting, do nothing */
3106 if (tmi->enc_data.method == CRYPT_METHOD_NONE) {
3107 return (mp);
3108 }
3109
3110 plainlen = MBLKL(mp);
3111 if (plainlen == 0)
3112 return (NULL);
3113
3114 /*
3115 * If the block is too big, we encrypt in 4K chunks so that
3116 * older rlogin clients do not choke on the larger buffers.
3117 */
3118 while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) {
3119 mblk_t *mp1 = NULL;
3120 outlen = MSGBUF_SIZE;
3121 /*
3122 * Allocate a new buffer that is only 4K bytes, the
3123 * extra bytes are for crypto overhead.
3124 */
3125 mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED);
3126 if (mp1 == NULL) {
3127 cmn_err(CE_WARN,
3128 "allocb (%d bytes) failed",
3129 (int)(outlen + CONFOUNDER_BYTES));
3130 return (NULL);
3131 }
3132 /* Copy the next 4K bytes from the old block. */
3133 bcopy(mp->b_rptr, mp1->b_rptr, outlen);
3134 mp1->b_wptr = mp1->b_rptr + outlen;
3135 /* Advance the old block. */
3136 mp->b_rptr += outlen;
3137
3138 /* encrypt the new block */
3139 newmp = encrypt_block(q, tmi, mp1, outlen);
3140 if (newmp == NULL)
3141 return (NULL);
3142
3143 putnext(q, newmp);
3144 }
3145 newmp = NULL;
3146 /* If there is data left (< MSGBUF_SIZE), encrypt it. */
3147 if ((plainlen = MBLKL(mp)) > 0)
3148 newmp = encrypt_block(q, tmi, mp, plainlen);
3149
3150 return (newmp);
3151 }
3152
3153 /*
3154 * cryptmodwsrv
3155 *
3156 * Service routine for the write queue.
3157 *
3158 * Because data may be placed in the queue to hold between
3159 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
3160 */
3161 static int
3162 cryptmodwsrv(queue_t *q)
3163 {
3164 mblk_t *mp;
3165 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3166
3167 while ((mp = getq(q)) != NULL) {
3168 switch (mp->b_datap->db_type) {
3169 default:
3170 /*
3171 * wput does not queue anything > QPCTL
3172 */
3173 if (!canputnext(q) ||
3174 !(tmi->ready & CRYPT_WRITE_READY)) {
3175 if (!putbq(q, mp)) {
3176 freemsg(mp);
3177 }
3178 return (0);
3179 }
3180 putnext(q, mp);
3181 break;
3182 case M_DATA:
3183 if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) {
3184 mblk_t *bp;
3185 mblk_t *newmsg = NULL;
3186
3187 /*
3188 * If multiple msgs, concat into 1
3189 * to minimize crypto operations later.
3190 */
3191 if (mp->b_cont != NULL) {
3192 bp = msgpullup(mp, -1);
3193 if (bp != NULL) {
3194 freemsg(mp);
3195 mp = bp;
3196 }
3197 }
3198 newmsg = encrypt_msgb(q, tmi, mp);
3199 if (newmsg != NULL)
3200 putnext(q, newmsg);
3201 } else {
3202 if (!putbq(q, mp)) {
3203 freemsg(mp);
3204 }
3205 return (0);
3206 }
3207 break;
3208 }
3209 }
3210 return (0);
3211 }
3212
3213 static void
3214 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir)
3215 {
3216 mblk_t *newmp = NULL;
3217 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3218
3219 if (dir == CRYPT_ENCRYPT) {
3220 tmi->ready |= CRYPT_WRITE_READY;
3221 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
3222 "start_stream: restart ENCRYPT/WRITE q"));
3223
3224 enableok(wq);
3225 qenable(wq);
3226 } else if (dir == CRYPT_DECRYPT) {
3227 /*
3228 * put any extra data in the RD
3229 * queue to be processed and
3230 * sent back up.
3231 */
3232 newmp = mp->b_cont;
3233 mp->b_cont = NULL;
3234
3235 tmi->ready |= CRYPT_READ_READY;
3236 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3237 SL_TRACE|SL_NOTE,
3238 "start_stream: restart "
3239 "DECRYPT/READ q"));
3240
3241 if (newmp != NULL)
3242 if (!putbq(RD(wq), newmp))
3243 freemsg(newmp);
3244
3245 enableok(RD(wq));
3246 qenable(RD(wq));
3247 }
3248
3249 miocack(wq, mp, 0, 0);
3250 }
3251
3252 /*
3253 * Write-side put procedure. Its main task is to detect ioctls and
3254 * FLUSH operations. Other message types are passed on through.
3255 */
3256 static void
3257 cryptmodwput(queue_t *wq, mblk_t *mp)
3258 {
3259 struct iocblk *iocp;
3260 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3261 int ret, err;
3262
3263 switch (mp->b_datap->db_type) {
3264 case M_DATA:
3265 if (wq->q_first == NULL && canputnext(wq) &&
3266 (tmi->ready & CRYPT_WRITE_READY) &&
3267 tmi->enc_data.method == CRYPT_METHOD_NONE) {
3268 putnext(wq, mp);
3269 return;
3270 }
3271 /* else, put it in the service queue */
3272 if (!putq(wq, mp)) {
3273 freemsg(mp);
3274 }
3275 break;
3276 case M_FLUSH:
3277 if (*mp->b_rptr & FLUSHW) {
3278 flushq(wq, FLUSHDATA);
3279 }
3280 putnext(wq, mp);
3281 break;
3282 case M_IOCTL:
3283 iocp = (struct iocblk *)mp->b_rptr;
3284 switch (iocp->ioc_cmd) {
3285 case CRYPTIOCSETUP:
3286 ret = 0;
3287 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3288 SL_TRACE | SL_NOTE,
3289 "wput: got CRYPTIOCSETUP "
3290 "ioctl(%d)", iocp->ioc_cmd));
3291
3292 if ((err = miocpullup(mp,
3293 sizeof (struct cr_info_t))) != 0) {
3294 cmn_err(CE_WARN,
3295 "wput: miocpullup failed for cr_info_t");
3296 miocnak(wq, mp, 0, err);
3297 } else {
3298 struct cr_info_t *ci;
3299 ci = (struct cr_info_t *)mp->b_cont->b_rptr;
3300
3301 if (ci->direction_mask & CRYPT_ENCRYPT) {
3302 ret = setup_crypto(ci, &tmi->enc_data, 1);
3303 }
3304
3305 if (ret == 0 &&
3306 (ci->direction_mask & CRYPT_DECRYPT)) {
3307 ret = setup_crypto(ci, &tmi->dec_data, 0);
3308 }
3309 if (ret == 0 &&
3310 (ci->direction_mask & CRYPT_DECRYPT) &&
3311 ANY_RCMD_MODE(tmi->dec_data.option_mask)) {
3312 bzero(&tmi->rcmd_state,
3313 sizeof (tmi->rcmd_state));
3314 }
3315 if (ret == 0) {
3316 miocack(wq, mp, 0, 0);
3317 } else {
3318 cmn_err(CE_WARN,
3319 "wput: setup_crypto failed");
3320 miocnak(wq, mp, 0, ret);
3321 }
3322 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3323 SL_TRACE|SL_NOTE,
3324 "wput: done with SETUP "
3325 "ioctl"));
3326 }
3327 break;
3328 case CRYPTIOCSTOP:
3329 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3330 SL_TRACE|SL_NOTE,
3331 "wput: got CRYPTIOCSTOP "
3332 "ioctl(%d)", iocp->ioc_cmd));
3333
3334 if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) {
3335 cmn_err(CE_WARN,
3336 "wput: CRYPTIOCSTOP ioctl wrong "
3337 "size (%d should be %d)",
3338 (int)iocp->ioc_count,
3339 (int)sizeof (uint32_t));
3340 miocnak(wq, mp, 0, err);
3341 } else {
3342 uint32_t *stopdir;
3343
3344 stopdir = (uint32_t *)mp->b_cont->b_rptr;
3345 if (!CR_DIRECTION_OK(*stopdir)) {
3346 miocnak(wq, mp, 0, EINVAL);
3347 return;
3348 }
3349
3350 /* disable the queues until further notice */
3351 if (*stopdir & CRYPT_ENCRYPT) {
3352 noenable(wq);
3353 tmi->ready &= ~CRYPT_WRITE_READY;
3354 }
3355 if (*stopdir & CRYPT_DECRYPT) {
3356 noenable(RD(wq));
3357 tmi->ready &= ~CRYPT_READ_READY;
3358 }
3359
3360 miocack(wq, mp, 0, 0);
3361 }
3362 break;
3363 case CRYPTIOCSTARTDEC:
3364 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3365 SL_TRACE|SL_NOTE,
3366 "wput: got CRYPTIOCSTARTDEC "
3367 "ioctl(%d)", iocp->ioc_cmd));
3368
3369 start_stream(wq, mp, CRYPT_DECRYPT);
3370 break;
3371 case CRYPTIOCSTARTENC:
3372 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3373 SL_TRACE|SL_NOTE,
3374 "wput: got CRYPTIOCSTARTENC "
3375 "ioctl(%d)", iocp->ioc_cmd));
3376
3377 start_stream(wq, mp, CRYPT_ENCRYPT);
3378 break;
3379 default:
3380 putnext(wq, mp);
3381 break;
3382 }
3383 break;
3384 default:
3385 if (queclass(mp) < QPCTL) {
3386 if (wq->q_first != NULL || !canputnext(wq)) {
3387 if (!putq(wq, mp))
3388 freemsg(mp);
3389 return;
3390 }
3391 }
3392 putnext(wq, mp);
3393 break;
3394 }
3395 }
3396
3397 /*
3398 * decrypt_rcmd_mblks
3399 *
3400 * Because kerberized r* commands(rsh, rlogin, etc)
3401 * use a 4 byte length field to indicate the # of
3402 * PLAINTEXT bytes that are encrypted in the field
3403 * that follows, we must parse out each message and
3404 * break out the length fields prior to sending them
3405 * upstream to our Solaris r* clients/servers which do
3406 * NOT understand this format.
3407 *
3408 * Kerberized/encrypted message format:
3409 * -------------------------------
3410 * | XXXX | N bytes of ciphertext|
3411 * -------------------------------
3412 *
3413 * Where: XXXX = number of plaintext bytes that were encrypted in
3414 * to make the ciphertext field. This is done
3415 * because we are using a cipher that pads out to
3416 * an 8 byte boundary. We only want the application
3417 * layer to see the correct number of plain text bytes,
3418 * not plaintext + pad. So, after we decrypt, we
3419 * must trim the output block down to the intended
3420 * plaintext length and eliminate the pad bytes.
3421 *
3422 * This routine takes the entire input message, breaks it into
3423 * a new message that does not contain these length fields and
3424 * returns a message consisting of mblks filled with just ciphertext.
3425 *
3426 */
3427 static mblk_t *
3428 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp)
3429 {
3430 mblk_t *newmp = NULL;
3431 size_t msglen;
3432 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3433
3434 msglen = msgsize(mp);
3435
3436 /*
3437 * If we need the length field, get it here.
3438 * Test the "plaintext length" indicator.
3439 */
3440 if (tmi->rcmd_state.pt_len == 0) {
3441 uint32_t elen;
3442 int tocopy;
3443 mblk_t *nextp;
3444
3445 /*
3446 * Make sure we have recieved all 4 bytes of the
3447 * length field.
3448 */
3449 while (mp != NULL) {
3450 ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t));
3451
3452 tocopy = sizeof (uint32_t) -
3453 tmi->rcmd_state.cd_len;
3454 if (tocopy > msglen)
3455 tocopy = msglen;
3456
3457 ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp));
3458 bcopy(mp->b_rptr,
3459 (char *)(&tmi->rcmd_state.next_len +
3460 tmi->rcmd_state.cd_len), tocopy);
3461
3462 tmi->rcmd_state.cd_len += tocopy;
3463
3464 if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) {
3465 tmi->rcmd_state.next_len =
3466 ntohl(tmi->rcmd_state.next_len);
3467 break;
3468 }
3469
3470 nextp = mp->b_cont;
3471 mp->b_cont = NULL;
3472 freeb(mp);
3473 mp = nextp;
3474 }
3475
3476 if (mp == NULL) {
3477 return (NULL);
3478 }
3479 /*
3480 * recalculate the msglen now that we've read the
3481 * length and adjusted the bufptr (b_rptr).
3482 */
3483 msglen -= tocopy;
3484 mp->b_rptr += tocopy;
3485
3486 tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len;
3487
3488 if (tmi->rcmd_state.pt_len <= 0) {
3489 /*
3490 * Return an IO error to break the connection. there
3491 * is no way to recover from this. Usually it means
3492 * the app has incorrectly requested decryption on
3493 * a non-encrypted stream, thus the "pt_len" field
3494 * is negative.
3495 */
3496 mp->b_datap->db_type = M_ERROR;
3497 mp->b_rptr = mp->b_datap->db_base;
3498 *mp->b_rptr = EIO;
3499 mp->b_wptr = mp->b_rptr + sizeof (char);
3500
3501 freemsg(mp->b_cont);
3502 mp->b_cont = NULL;
3503 qreply(WR(q), mp);
3504 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3505 return (NULL);
3506 }
3507
3508 /*
3509 * If this is V2 mode, then the encrypted data is actually
3510 * 4 bytes bigger than the indicated len because the plaintext
3511 * length is encrypted for an additional security check, but
3512 * its not counted as part of the overall length we just read.
3513 * Strange and confusing, but true.
3514 */
3515
3516 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
3517 elen = tmi->rcmd_state.pt_len + 4;
3518 else
3519 elen = tmi->rcmd_state.pt_len;
3520
3521 tmi->rcmd_state.cd_len = encrypt_size(&tmi->dec_data, elen);
3522
3523 /*
3524 * Allocate an mblk to hold the cipher text until it is
3525 * all ready to be processed.
3526 */
3527 tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len,
3528 BPRI_HI);
3529 if (tmi->rcmd_state.c_msg == NULL) {
3530 #ifdef DEBUG
3531 cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed "
3532 "for %d bytes",
3533 (int)tmi->rcmd_state.cd_len);
3534 #endif
3535 /*
3536 * Return an IO error to break the connection.
3537 */
3538 mp->b_datap->db_type = M_ERROR;
3539 mp->b_rptr = mp->b_datap->db_base;
3540 *mp->b_rptr = EIO;
3541 mp->b_wptr = mp->b_rptr + sizeof (char);
3542 freemsg(mp->b_cont);
3543 mp->b_cont = NULL;
3544 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3545 qreply(WR(q), mp);
3546 return (NULL);
3547 }
3548 }
3549
3550 /*
3551 * If this entire message was just the length field,
3552 * free and return. The actual data will probably be next.
3553 */
3554 if (msglen == 0) {
3555 freemsg(mp);
3556 return (NULL);
3557 }
3558
3559 /*
3560 * Copy as much of the cipher text as possible into
3561 * the new msgb (c_msg).
3562 *
3563 * Logic: if we got some bytes (msglen) and we still
3564 * "need" some bytes (len-rcvd), get them here.
3565 */
3566 ASSERT(tmi->rcmd_state.c_msg != NULL);
3567 if (msglen > 0 &&
3568 (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) {
3569 mblk_t *bp, *nextp;
3570 size_t n;
3571
3572 /*
3573 * Walk the mblks and copy just as many bytes as we need
3574 * for this particular block of cipher text.
3575 */
3576 bp = mp;
3577 while (bp != NULL) {
3578 size_t needed;
3579 size_t tocopy;
3580 n = MBLKL(bp);
3581
3582 needed = tmi->rcmd_state.cd_len -
3583 MBLKL(tmi->rcmd_state.c_msg);
3584
3585 tocopy = (needed >= n ? n : needed);
3586
3587 ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp));
3588 ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <=
3589 DB_LIM(tmi->rcmd_state.c_msg));
3590
3591 /* Copy to end of new mblk */
3592 bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr,
3593 tocopy);
3594
3595 tmi->rcmd_state.c_msg->b_wptr += tocopy;
3596
3597 bp->b_rptr += tocopy;
3598
3599 nextp = bp->b_cont;
3600
3601 /*
3602 * If we used this whole block, free it and
3603 * move on.
3604 */
3605 if (!MBLKL(bp)) {
3606 freeb(bp);
3607 bp = NULL;
3608 }
3609
3610 /* If we got what we needed, stop the loop */
3611 if (MBLKL(tmi->rcmd_state.c_msg) ==
3612 tmi->rcmd_state.cd_len) {
3613 /*
3614 * If there is more data in the message,
3615 * its for another block of cipher text,
3616 * put it back in the queue for next time.
3617 */
3618 if (bp) {
3619 if (!putbq(q, bp))
3620 freemsg(bp);
3621 } else if (nextp != NULL) {
3622 /*
3623 * If there is more, put it back in the
3624 * queue for another pass thru.
3625 */
3626 if (!putbq(q, nextp))
3627 freemsg(nextp);
3628 }
3629 break;
3630 }
3631 bp = nextp;
3632 }
3633 }
3634 /*
3635 * Finally, if we received all the cipher text data for
3636 * this message, decrypt it into a new msg and send it up
3637 * to the app.
3638 */
3639 if (tmi->rcmd_state.pt_len > 0 &&
3640 MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) {
3641 mblk_t *bp;
3642 mblk_t *newbp;
3643
3644 /*
3645 * Now we can use our msg that we created when the
3646 * initial message boundary was detected.
3647 */
3648 bp = tmi->rcmd_state.c_msg;
3649 tmi->rcmd_state.c_msg = NULL;
3650
3651 newbp = do_decrypt(q, bp);
3652 if (newbp != NULL) {
3653 bp = newbp;
3654 /*
3655 * If using RCMD_MODE_V2 ("new" mode),
3656 * look at the 4 byte plaintext length that
3657 * was just decrypted and compare with the
3658 * original pt_len value that was received.
3659 */
3660 if (tmi->dec_data.option_mask &
3661 CRYPTOPT_RCMD_MODE_V2) {
3662 uint32_t pt_len2;
3663
3664 pt_len2 = *(uint32_t *)bp->b_rptr;
3665 pt_len2 = ntohl(pt_len2);
3666 /*
3667 * Make sure the 2 pt len fields agree.
3668 */
3669 if (pt_len2 != tmi->rcmd_state.pt_len) {
3670 cmn_err(CE_WARN,
3671 "Inconsistent length fields"
3672 " received %d != %d",
3673 (int)tmi->rcmd_state.pt_len,
3674 (int)pt_len2);
3675 bp->b_datap->db_type = M_ERROR;
3676 bp->b_rptr = bp->b_datap->db_base;
3677 *bp->b_rptr = EIO;
3678 bp->b_wptr = bp->b_rptr + sizeof (char);
3679 freemsg(bp->b_cont);
3680 bp->b_cont = NULL;
3681 tmi->rcmd_state.cd_len = 0;
3682 qreply(WR(q), bp);
3683 return (NULL);
3684 }
3685 bp->b_rptr += sizeof (uint32_t);
3686 }
3687
3688 /*
3689 * Trim the decrypted block the length originally
3690 * indicated by the sender. This is to remove any
3691 * padding bytes that the sender added to satisfy
3692 * requirements of the crypto algorithm.
3693 */
3694 bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len;
3695
3696 newmp = bp;
3697
3698 /*
3699 * Reset our state to indicate we are ready
3700 * for a new message.
3701 */
3702 tmi->rcmd_state.pt_len = 0;
3703 tmi->rcmd_state.cd_len = 0;
3704 } else {
3705 #ifdef DEBUG
3706 cmn_err(CE_WARN,
3707 "decrypt_rcmd: do_decrypt on %d bytes failed",
3708 (int)tmi->rcmd_state.cd_len);
3709 #endif
3710 /*
3711 * do_decrypt already handled failures, just
3712 * return NULL.
3713 */
3714 tmi->rcmd_state.pt_len = 0;
3715 tmi->rcmd_state.cd_len = 0;
3716 return (NULL);
3717 }
3718 }
3719
3720 /*
3721 * return the new message with the 'length' fields removed
3722 */
3723 return (newmp);
3724 }
3725
3726 /*
3727 * cryptmodrsrv
3728 *
3729 * Read queue service routine
3730 * Necessary because if the ready flag is not set
3731 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data
3732 * must remain on queue and not be passed along.
3733 */
3734 static int
3735 cryptmodrsrv(queue_t *q)
3736 {
3737 mblk_t *mp, *bp;
3738 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3739
3740 while ((mp = getq(q)) != NULL) {
3741 switch (mp->b_datap->db_type) {
3742 case M_DATA:
3743 if (canputnext(q) && tmi->ready & CRYPT_READ_READY) {
3744 /*
3745 * Process "rcmd" messages differently because
3746 * they contain a 4 byte plaintext length
3747 * id that needs to be removed.
3748 */
3749 if (tmi->dec_data.method != CRYPT_METHOD_NONE &&
3750 (tmi->dec_data.option_mask &
3751 (CRYPTOPT_RCMD_MODE_V1 |
3752 CRYPTOPT_RCMD_MODE_V2))) {
3753 mp = decrypt_rcmd_mblks(q, mp);
3754 if (mp)
3755 putnext(q, mp);
3756 continue;
3757 }
3758 if ((bp = msgpullup(mp, -1)) != NULL) {
3759 freemsg(mp);
3760 if (MBLKL(bp) > 0) {
3761 mp = do_decrypt(q, bp);
3762 if (mp != NULL)
3763 putnext(q, mp);
3764 }
3765 }
3766 } else {
3767 if (!putbq(q, mp)) {
3768 freemsg(mp);
3769 }
3770 return (0);
3771 }
3772 break;
3773 default:
3774 /*
3775 * rput does not queue anything > QPCTL, so we don't
3776 * need to check for it here.
3777 */
3778 if (!canputnext(q)) {
3779 if (!putbq(q, mp))
3780 freemsg(mp);
3781 return (0);
3782 }
3783 putnext(q, mp);
3784 break;
3785 }
3786 }
3787 return (0);
3788 }
3789
3790
3791 /*
3792 * Read-side put procedure.
3793 */
3794 static void
3795 cryptmodrput(queue_t *rq, mblk_t *mp)
3796 {
3797 switch (mp->b_datap->db_type) {
3798 case M_DATA:
3799 if (!putq(rq, mp)) {
3800 freemsg(mp);
3801 }
3802 break;
3803 case M_FLUSH:
3804 if (*mp->b_rptr & FLUSHR) {
3805 flushq(rq, FLUSHALL);
3806 }
3807 putnext(rq, mp);
3808 break;
3809 default:
3810 if (queclass(mp) < QPCTL) {
3811 if (rq->q_first != NULL || !canputnext(rq)) {
3812 if (!putq(rq, mp))
3813 freemsg(mp);
3814 return;
3815 }
3816 }
3817 putnext(rq, mp);
3818 break;
3819 }
3820 }