]> git.proxmox.com Git - mirror_zfs.git/blob - module/icp/io/aes.c
projects / mirror_zfs.git / blob
? search:


ada697eb6d5295db3fa96322760988d5a972f2e5
[mirror_zfs.git] / module / icp / io / aes.c
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * AES provider for the Kernel Cryptographic Framework (KCF)
27 */
28
29 #include <sys/zfs_context.h>
30 #include <sys/crypto/common.h>
31 #include <sys/crypto/impl.h>
32 #include <sys/crypto/spi.h>
33 #include <sys/crypto/icp.h>
34 #include <modes/modes.h>
35 #include <sys/modctl.h>
36 #define _AES_IMPL
37 #include <aes/aes_impl.h>
38
39 #define CRYPTO_PROVIDER_NAME "aes"
40
41 extern struct mod_ops mod_cryptoops;
42
43 /*
44 * Module linkage information for the kernel.
45 */
46 static struct modlcrypto modlcrypto = {
47 &mod_cryptoops,
48 "AES Kernel SW Provider"
49 };
50
51 static struct modlinkage modlinkage = {
52 MODREV_1, { (void *)&modlcrypto, NULL }
53 };
54
55 /*
56 * Mechanism info structure passed to KCF during registration.
57 */
58 static crypto_mech_info_t aes_mech_info_tab[] = {
59 /* AES_ECB */
60 {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE,
61 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
62 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
63 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
64 /* AES_CBC */
65 {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE,
66 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
67 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
68 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
69 /* AES_CTR */
70 {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE,
71 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
72 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
73 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
74 /* AES_CCM */
75 {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE,
76 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
77 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
78 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
79 /* AES_GCM */
80 {SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE,
81 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
82 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
83 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
84 /* AES_GMAC */
85 {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE,
86 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
87 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
88 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC |
89 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
90 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
91 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}
92 };
93
94 /* operations are in-place if the output buffer is NULL */
95 #define AES_ARG_INPLACE(input, output) \
96 if ((output) == NULL) \
97 (output) = (input);
98
99 static void aes_provider_status(crypto_provider_handle_t, uint_t *);
100
101 static crypto_control_ops_t aes_control_ops = {
102 aes_provider_status
103 };
104
105 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
106 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
107 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
108 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
109 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *,
110 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t);
111 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *,
112 crypto_mechanism_t *, crypto_key_t *, int, boolean_t);
113 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *,
114 crypto_req_handle_t);
115 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *,
116 crypto_req_handle_t);
117
118 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
119 crypto_req_handle_t);
120 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *,
121 crypto_data_t *, crypto_req_handle_t);
122 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
123 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
124 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
125
126 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
127 crypto_req_handle_t);
128 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *,
129 crypto_data_t *, crypto_req_handle_t);
130 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
131 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
132 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
133
134 static crypto_cipher_ops_t aes_cipher_ops = {
135 aes_encrypt_init,
136 aes_encrypt,
137 aes_encrypt_update,
138 aes_encrypt_final,
139 aes_encrypt_atomic,
140 aes_decrypt_init,
141 aes_decrypt,
142 aes_decrypt_update,
143 aes_decrypt_final,
144 aes_decrypt_atomic
145 };
146
147 static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
148 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
149 crypto_spi_ctx_template_t, crypto_req_handle_t);
150 static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
151 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
152 crypto_spi_ctx_template_t, crypto_req_handle_t);
153
154 static crypto_mac_ops_t aes_mac_ops = {
155 NULL,
156 NULL,
157 NULL,
158 NULL,
159 aes_mac_atomic,
160 aes_mac_verify_atomic
161 };
162
163 static int aes_create_ctx_template(crypto_provider_handle_t,
164 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
165 size_t *, crypto_req_handle_t);
166 static int aes_free_context(crypto_ctx_t *);
167
168 static crypto_ctx_ops_t aes_ctx_ops = {
169 aes_create_ctx_template,
170 aes_free_context
171 };
172
173 static crypto_ops_t aes_crypto_ops = {{{{{
174 &aes_control_ops,
175 NULL,
176 &aes_cipher_ops,
177 &aes_mac_ops,
178 NULL,
179 NULL,
180 NULL,
181 NULL,
182 NULL,
183 NULL,
184 NULL,
185 NULL,
186 NULL,
187 &aes_ctx_ops
188 }}}}};
189
190 static crypto_provider_info_t aes_prov_info = {{{{
191 CRYPTO_SPI_VERSION_1,
192 "AES Software Provider",
193 CRYPTO_SW_PROVIDER,
194 NULL,
195 &aes_crypto_ops,
196 sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t),
197 aes_mech_info_tab
198 }}}};
199
200 static crypto_kcf_provider_handle_t aes_prov_handle = 0;
201 static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW };
202
203 int
204 aes_mod_init(void)
205 {
206 int ret;
207
208 if ((ret = mod_install(&modlinkage)) != 0)
209 return (ret);
210
211 /* Register with KCF. If the registration fails, remove the module. */
212 if (crypto_register_provider(&aes_prov_info, &aes_prov_handle)) {
213 (void) mod_remove(&modlinkage);
214 return (EACCES);
215 }
216
217 return (0);
218 }
219
220 int
221 aes_mod_fini(void)
222 {
223 /* Unregister from KCF if module is registered */
224 if (aes_prov_handle != 0) {
225 if (crypto_unregister_provider(aes_prov_handle))
226 return (EBUSY);
227
228 aes_prov_handle = 0;
229 }
230
231 return (mod_remove(&modlinkage));
232 }
233
234 static int
235 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
236 {
237 void *p = NULL;
238 boolean_t param_required = B_TRUE;
239 size_t param_len;
240 void *(*alloc_fun)(int);
241 int rv = CRYPTO_SUCCESS;
242
243 switch (mechanism->cm_type) {
244 case AES_ECB_MECH_INFO_TYPE:
245 param_required = B_FALSE;
246 alloc_fun = ecb_alloc_ctx;
247 break;
248 case AES_CBC_MECH_INFO_TYPE:
249 param_len = AES_BLOCK_LEN;
250 alloc_fun = cbc_alloc_ctx;
251 break;
252 case AES_CTR_MECH_INFO_TYPE:
253 param_len = sizeof (CK_AES_CTR_PARAMS);
254 alloc_fun = ctr_alloc_ctx;
255 break;
256 case AES_CCM_MECH_INFO_TYPE:
257 param_len = sizeof (CK_AES_CCM_PARAMS);
258 alloc_fun = ccm_alloc_ctx;
259 break;
260 case AES_GCM_MECH_INFO_TYPE:
261 param_len = sizeof (CK_AES_GCM_PARAMS);
262 alloc_fun = gcm_alloc_ctx;
263 break;
264 case AES_GMAC_MECH_INFO_TYPE:
265 param_len = sizeof (CK_AES_GMAC_PARAMS);
266 alloc_fun = gmac_alloc_ctx;
267 break;
268 default:
269 rv = CRYPTO_MECHANISM_INVALID;
270 return (rv);
271 }
272 if (param_required && mechanism->cm_param != NULL &&
273 mechanism->cm_param_len != param_len) {
274 rv = CRYPTO_MECHANISM_PARAM_INVALID;
275 }
276 if (ctx != NULL) {
277 p = (alloc_fun)(kmflag);
278 *ctx = p;
279 }
280 return (rv);
281 }
282
283 /*
284 * Initialize key schedules for AES
285 */
286 static int
287 init_keysched(crypto_key_t *key, void *newbie)
288 {
289 /*
290 * Only keys by value are supported by this module.
291 */
292 switch (key->ck_format) {
293 case CRYPTO_KEY_RAW:
294 if (key->ck_length < AES_MINBITS ||
295 key->ck_length > AES_MAXBITS) {
296 return (CRYPTO_KEY_SIZE_RANGE);
297 }
298
299 /* key length must be either 128, 192, or 256 */
300 if ((key->ck_length & 63) != 0)
301 return (CRYPTO_KEY_SIZE_RANGE);
302 break;
303 default:
304 return (CRYPTO_KEY_TYPE_INCONSISTENT);
305 }
306
307 aes_init_keysched(key->ck_data, key->ck_length, newbie);
308 return (CRYPTO_SUCCESS);
309 }
310
311 /*
312 * KCF software provider control entry points.
313 */
314 /* ARGSUSED */
315 static void
316 aes_provider_status(crypto_provider_handle_t provider, uint_t *status)
317 {
318 *status = CRYPTO_PROVIDER_READY;
319 }
320
321 static int
322 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
323 crypto_key_t *key, crypto_spi_ctx_template_t template,
324 crypto_req_handle_t req) {
325 return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE));
326 }
327
328 static int
329 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
330 crypto_key_t *key, crypto_spi_ctx_template_t template,
331 crypto_req_handle_t req) {
332 return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE));
333 }
334
335
336
337 /*
338 * KCF software provider encrypt entry points.
339 */
340 static int
341 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
342 crypto_key_t *key, crypto_spi_ctx_template_t template,
343 crypto_req_handle_t req, boolean_t is_encrypt_init)
344 {
345 aes_ctx_t *aes_ctx;
346 int rv;
347 int kmflag;
348
349 /*
350 * Only keys by value are supported by this module.
351 */
352 if (key->ck_format != CRYPTO_KEY_RAW) {
353 return (CRYPTO_KEY_TYPE_INCONSISTENT);
354 }
355
356 kmflag = crypto_kmflag(req);
357 if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
358 != CRYPTO_SUCCESS)
359 return (rv);
360
361 rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag,
362 is_encrypt_init);
363 if (rv != CRYPTO_SUCCESS) {
364 crypto_free_mode_ctx(aes_ctx);
365 return (rv);
366 }
367
368 ctx->cc_provider_private = aes_ctx;
369
370 return (CRYPTO_SUCCESS);
371 }
372
373 static void
374 aes_copy_block64(uint8_t *in, uint64_t *out)
375 {
376 if (IS_P2ALIGNED(in, sizeof (uint64_t))) {
377 /* LINTED: pointer alignment */
378 out[0] = *(uint64_t *)&in[0];
379 /* LINTED: pointer alignment */
380 out[1] = *(uint64_t *)&in[8];
381 } else {
382 uint8_t *iv8 = (uint8_t *)&out[0];
383
384 AES_COPY_BLOCK(in, iv8);
385 }
386 }
387
388
389 static int
390 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
391 crypto_data_t *ciphertext, crypto_req_handle_t req)
392 {
393 int ret = CRYPTO_FAILED;
394
395 aes_ctx_t *aes_ctx;
396 size_t saved_length, saved_offset, length_needed;
397
398 ASSERT(ctx->cc_provider_private != NULL);
399 aes_ctx = ctx->cc_provider_private;
400
401 /*
402 * For block ciphers, plaintext must be a multiple of AES block size.
403 * This test is only valid for ciphers whose blocksize is a power of 2.
404 */
405 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
406 == 0) && (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
407 return (CRYPTO_DATA_LEN_RANGE);
408
409 AES_ARG_INPLACE(plaintext, ciphertext);
410
411 /*
412 * We need to just return the length needed to store the output.
413 * We should not destroy the context for the following case.
414 */
415 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
416 case CCM_MODE:
417 length_needed = plaintext->cd_length + aes_ctx->ac_mac_len;
418 break;
419 case GCM_MODE:
420 length_needed = plaintext->cd_length + aes_ctx->ac_tag_len;
421 break;
422 case GMAC_MODE:
423 if (plaintext->cd_length != 0)
424 return (CRYPTO_ARGUMENTS_BAD);
425
426 length_needed = aes_ctx->ac_tag_len;
427 break;
428 default:
429 length_needed = plaintext->cd_length;
430 }
431
432 if (ciphertext->cd_length < length_needed) {
433 ciphertext->cd_length = length_needed;
434 return (CRYPTO_BUFFER_TOO_SMALL);
435 }
436
437 saved_length = ciphertext->cd_length;
438 saved_offset = ciphertext->cd_offset;
439
440 /*
441 * Do an update on the specified input data.
442 */
443 ret = aes_encrypt_update(ctx, plaintext, ciphertext, req);
444 if (ret != CRYPTO_SUCCESS) {
445 return (ret);
446 }
447
448 /*
449 * For CCM mode, aes_ccm_encrypt_final() will take care of any
450 * left-over unprocessed data, and compute the MAC
451 */
452 if (aes_ctx->ac_flags & CCM_MODE) {
453 /*
454 * ccm_encrypt_final() will compute the MAC and append
455 * it to existing ciphertext. So, need to adjust the left over
456 * length value accordingly
457 */
458
459 /* order of following 2 lines MUST not be reversed */
460 ciphertext->cd_offset = ciphertext->cd_length;
461 ciphertext->cd_length = saved_length - ciphertext->cd_length;
462 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext,
463 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
464 if (ret != CRYPTO_SUCCESS) {
465 return (ret);
466 }
467
468 if (plaintext != ciphertext) {
469 ciphertext->cd_length =
470 ciphertext->cd_offset - saved_offset;
471 }
472 ciphertext->cd_offset = saved_offset;
473 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
474 /*
475 * gcm_encrypt_final() will compute the MAC and append
476 * it to existing ciphertext. So, need to adjust the left over
477 * length value accordingly
478 */
479
480 /* order of following 2 lines MUST not be reversed */
481 ciphertext->cd_offset = ciphertext->cd_length;
482 ciphertext->cd_length = saved_length - ciphertext->cd_length;
483 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext,
484 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
485 aes_xor_block);
486 if (ret != CRYPTO_SUCCESS) {
487 return (ret);
488 }
489
490 if (plaintext != ciphertext) {
491 ciphertext->cd_length =
492 ciphertext->cd_offset - saved_offset;
493 }
494 ciphertext->cd_offset = saved_offset;
495 }
496
497 ASSERT(aes_ctx->ac_remainder_len == 0);
498 (void) aes_free_context(ctx);
499
500 return (ret);
501 }
502
503
504 static int
505 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
506 crypto_data_t *plaintext, crypto_req_handle_t req)
507 {
508 int ret = CRYPTO_FAILED;
509
510 aes_ctx_t *aes_ctx;
511 off_t saved_offset;
512 size_t saved_length, length_needed;
513
514 ASSERT(ctx->cc_provider_private != NULL);
515 aes_ctx = ctx->cc_provider_private;
516
517 /*
518 * For block ciphers, plaintext must be a multiple of AES block size.
519 * This test is only valid for ciphers whose blocksize is a power of 2.
520 */
521 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
522 == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) {
523 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
524 }
525
526 AES_ARG_INPLACE(ciphertext, plaintext);
527
528 /*
529 * Return length needed to store the output.
530 * Do not destroy context when plaintext buffer is too small.
531 *
532 * CCM: plaintext is MAC len smaller than cipher text
533 * GCM: plaintext is TAG len smaller than cipher text
534 * GMAC: plaintext length must be zero
535 */
536 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
537 case CCM_MODE:
538 length_needed = aes_ctx->ac_processed_data_len;
539 break;
540 case GCM_MODE:
541 length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len;
542 break;
543 case GMAC_MODE:
544 if (plaintext->cd_length != 0)
545 return (CRYPTO_ARGUMENTS_BAD);
546
547 length_needed = 0;
548 break;
549 default:
550 length_needed = ciphertext->cd_length;
551 }
552
553 if (plaintext->cd_length < length_needed) {
554 plaintext->cd_length = length_needed;
555 return (CRYPTO_BUFFER_TOO_SMALL);
556 }
557
558 saved_offset = plaintext->cd_offset;
559 saved_length = plaintext->cd_length;
560
561 /*
562 * Do an update on the specified input data.
563 */
564 ret = aes_decrypt_update(ctx, ciphertext, plaintext, req);
565 if (ret != CRYPTO_SUCCESS) {
566 goto cleanup;
567 }
568
569 if (aes_ctx->ac_flags & CCM_MODE) {
570 ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len);
571 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
572
573 /* order of following 2 lines MUST not be reversed */
574 plaintext->cd_offset = plaintext->cd_length;
575 plaintext->cd_length = saved_length - plaintext->cd_length;
576
577 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext,
578 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
579 aes_xor_block);
580 if (ret == CRYPTO_SUCCESS) {
581 if (plaintext != ciphertext) {
582 plaintext->cd_length =
583 plaintext->cd_offset - saved_offset;
584 }
585 } else {
586 plaintext->cd_length = saved_length;
587 }
588
589 plaintext->cd_offset = saved_offset;
590 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
591 /* order of following 2 lines MUST not be reversed */
592 plaintext->cd_offset = plaintext->cd_length;
593 plaintext->cd_length = saved_length - plaintext->cd_length;
594
595 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext,
596 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
597 if (ret == CRYPTO_SUCCESS) {
598 if (plaintext != ciphertext) {
599 plaintext->cd_length =
600 plaintext->cd_offset - saved_offset;
601 }
602 } else {
603 plaintext->cd_length = saved_length;
604 }
605
606 plaintext->cd_offset = saved_offset;
607 }
608
609 ASSERT(aes_ctx->ac_remainder_len == 0);
610
611 cleanup:
612 (void) aes_free_context(ctx);
613
614 return (ret);
615 }
616
617
618 /* ARGSUSED */
619 static int
620 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
621 crypto_data_t *ciphertext, crypto_req_handle_t req)
622 {
623 off_t saved_offset;
624 size_t saved_length, out_len;
625 int ret = CRYPTO_SUCCESS;
626 aes_ctx_t *aes_ctx;
627
628 ASSERT(ctx->cc_provider_private != NULL);
629 aes_ctx = ctx->cc_provider_private;
630
631 AES_ARG_INPLACE(plaintext, ciphertext);
632
633 /* compute number of bytes that will hold the ciphertext */
634 out_len = aes_ctx->ac_remainder_len;
635 out_len += plaintext->cd_length;
636 out_len &= ~(AES_BLOCK_LEN - 1);
637
638 /* return length needed to store the output */
639 if (ciphertext->cd_length < out_len) {
640 ciphertext->cd_length = out_len;
641 return (CRYPTO_BUFFER_TOO_SMALL);
642 }
643
644 saved_offset = ciphertext->cd_offset;
645 saved_length = ciphertext->cd_length;
646
647 /*
648 * Do the AES update on the specified input data.
649 */
650 switch (plaintext->cd_format) {
651 case CRYPTO_DATA_RAW:
652 ret = crypto_update_iov(ctx->cc_provider_private,
653 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
654 aes_copy_block64);
655 break;
656 case CRYPTO_DATA_UIO:
657 ret = crypto_update_uio(ctx->cc_provider_private,
658 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
659 aes_copy_block64);
660 break;
661 default:
662 ret = CRYPTO_ARGUMENTS_BAD;
663 }
664
665 /*
666 * Since AES counter mode is a stream cipher, we call
667 * ctr_mode_final() to pick up any remaining bytes.
668 * It is an internal function that does not destroy
669 * the context like *normal* final routines.
670 */
671 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
672 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx,
673 ciphertext, aes_encrypt_block);
674 }
675
676 if (ret == CRYPTO_SUCCESS) {
677 if (plaintext != ciphertext)
678 ciphertext->cd_length =
679 ciphertext->cd_offset - saved_offset;
680 } else {
681 ciphertext->cd_length = saved_length;
682 }
683 ciphertext->cd_offset = saved_offset;
684
685 return (ret);
686 }
687
688
689 static int
690 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
691 crypto_data_t *plaintext, crypto_req_handle_t req)
692 {
693 off_t saved_offset;
694 size_t saved_length, out_len;
695 int ret = CRYPTO_SUCCESS;
696 aes_ctx_t *aes_ctx;
697
698 ASSERT(ctx->cc_provider_private != NULL);
699 aes_ctx = ctx->cc_provider_private;
700
701 AES_ARG_INPLACE(ciphertext, plaintext);
702
703 /*
704 * Compute number of bytes that will hold the plaintext.
705 * This is not necessary for CCM, GCM, and GMAC since these
706 * mechanisms never return plaintext for update operations.
707 */
708 if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
709 out_len = aes_ctx->ac_remainder_len;
710 out_len += ciphertext->cd_length;
711 out_len &= ~(AES_BLOCK_LEN - 1);
712
713 /* return length needed to store the output */
714 if (plaintext->cd_length < out_len) {
715 plaintext->cd_length = out_len;
716 return (CRYPTO_BUFFER_TOO_SMALL);
717 }
718 }
719
720 saved_offset = plaintext->cd_offset;
721 saved_length = plaintext->cd_length;
722
723 if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE))
724 gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req));
725
726 /*
727 * Do the AES update on the specified input data.
728 */
729 switch (ciphertext->cd_format) {
730 case CRYPTO_DATA_RAW:
731 ret = crypto_update_iov(ctx->cc_provider_private,
732 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
733 aes_copy_block64);
734 break;
735 case CRYPTO_DATA_UIO:
736 ret = crypto_update_uio(ctx->cc_provider_private,
737 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
738 aes_copy_block64);
739 break;
740 default:
741 ret = CRYPTO_ARGUMENTS_BAD;
742 }
743
744 /*
745 * Since AES counter mode is a stream cipher, we call
746 * ctr_mode_final() to pick up any remaining bytes.
747 * It is an internal function that does not destroy
748 * the context like *normal* final routines.
749 */
750 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
751 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext,
752 aes_encrypt_block);
753 if (ret == CRYPTO_DATA_LEN_RANGE)
754 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
755 }
756
757 if (ret == CRYPTO_SUCCESS) {
758 if (ciphertext != plaintext)
759 plaintext->cd_length =
760 plaintext->cd_offset - saved_offset;
761 } else {
762 plaintext->cd_length = saved_length;
763 }
764 plaintext->cd_offset = saved_offset;
765
766
767 return (ret);
768 }
769
770 /* ARGSUSED */
771 static int
772 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
773 crypto_req_handle_t req)
774 {
775 aes_ctx_t *aes_ctx;
776 int ret;
777
778 ASSERT(ctx->cc_provider_private != NULL);
779 aes_ctx = ctx->cc_provider_private;
780
781 if (data->cd_format != CRYPTO_DATA_RAW &&
782 data->cd_format != CRYPTO_DATA_UIO) {
783 return (CRYPTO_ARGUMENTS_BAD);
784 }
785
786 if (aes_ctx->ac_flags & CTR_MODE) {
787 if (aes_ctx->ac_remainder_len > 0) {
788 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
789 aes_encrypt_block);
790 if (ret != CRYPTO_SUCCESS)
791 return (ret);
792 }
793 } else if (aes_ctx->ac_flags & CCM_MODE) {
794 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data,
795 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
796 if (ret != CRYPTO_SUCCESS) {
797 return (ret);
798 }
799 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
800 size_t saved_offset = data->cd_offset;
801
802 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data,
803 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
804 aes_xor_block);
805 if (ret != CRYPTO_SUCCESS) {
806 return (ret);
807 }
808 data->cd_length = data->cd_offset - saved_offset;
809 data->cd_offset = saved_offset;
810 } else {
811 /*
812 * There must be no unprocessed plaintext.
813 * This happens if the length of the last data is
814 * not a multiple of the AES block length.
815 */
816 if (aes_ctx->ac_remainder_len > 0) {
817 return (CRYPTO_DATA_LEN_RANGE);
818 }
819 data->cd_length = 0;
820 }
821
822 (void) aes_free_context(ctx);
823
824 return (CRYPTO_SUCCESS);
825 }
826
827 /* ARGSUSED */
828 static int
829 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
830 crypto_req_handle_t req)
831 {
832 aes_ctx_t *aes_ctx;
833 int ret;
834 off_t saved_offset;
835 size_t saved_length;
836
837 ASSERT(ctx->cc_provider_private != NULL);
838 aes_ctx = ctx->cc_provider_private;
839
840 if (data->cd_format != CRYPTO_DATA_RAW &&
841 data->cd_format != CRYPTO_DATA_UIO) {
842 return (CRYPTO_ARGUMENTS_BAD);
843 }
844
845 /*
846 * There must be no unprocessed ciphertext.
847 * This happens if the length of the last ciphertext is
848 * not a multiple of the AES block length.
849 */
850 if (aes_ctx->ac_remainder_len > 0) {
851 if ((aes_ctx->ac_flags & CTR_MODE) == 0)
852 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
853 else {
854 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
855 aes_encrypt_block);
856 if (ret == CRYPTO_DATA_LEN_RANGE)
857 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
858 if (ret != CRYPTO_SUCCESS)
859 return (ret);
860 }
861 }
862
863 if (aes_ctx->ac_flags & CCM_MODE) {
864 /*
865 * This is where all the plaintext is returned, make sure
866 * the plaintext buffer is big enough
867 */
868 size_t pt_len = aes_ctx->ac_data_len;
869 if (data->cd_length < pt_len) {
870 data->cd_length = pt_len;
871 return (CRYPTO_BUFFER_TOO_SMALL);
872 }
873
874 ASSERT(aes_ctx->ac_processed_data_len == pt_len);
875 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
876 saved_offset = data->cd_offset;
877 saved_length = data->cd_length;
878 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data,
879 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
880 aes_xor_block);
881 if (ret == CRYPTO_SUCCESS) {
882 data->cd_length = data->cd_offset - saved_offset;
883 } else {
884 data->cd_length = saved_length;
885 }
886
887 data->cd_offset = saved_offset;
888 if (ret != CRYPTO_SUCCESS) {
889 return (ret);
890 }
891 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
892 /*
893 * This is where all the plaintext is returned, make sure
894 * the plaintext buffer is big enough
895 */
896 gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx;
897 size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
898
899 if (data->cd_length < pt_len) {
900 data->cd_length = pt_len;
901 return (CRYPTO_BUFFER_TOO_SMALL);
902 }
903
904 saved_offset = data->cd_offset;
905 saved_length = data->cd_length;
906 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data,
907 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
908 if (ret == CRYPTO_SUCCESS) {
909 data->cd_length = data->cd_offset - saved_offset;
910 } else {
911 data->cd_length = saved_length;
912 }
913
914 data->cd_offset = saved_offset;
915 if (ret != CRYPTO_SUCCESS) {
916 return (ret);
917 }
918 }
919
920
921 if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
922 data->cd_length = 0;
923 }
924
925 (void) aes_free_context(ctx);
926
927 return (CRYPTO_SUCCESS);
928 }
929
930 /* ARGSUSED */
931 static int
932 aes_encrypt_atomic(crypto_provider_handle_t provider,
933 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
934 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
935 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
936 {
937 aes_ctx_t aes_ctx; /* on the stack */
938 off_t saved_offset;
939 size_t saved_length;
940 size_t length_needed;
941 int ret;
942
943 AES_ARG_INPLACE(plaintext, ciphertext);
944
945 /*
946 * CTR, CCM, GCM, and GMAC modes do not require that plaintext
947 * be a multiple of AES block size.
948 */
949 switch (mechanism->cm_type) {
950 case AES_CTR_MECH_INFO_TYPE:
951 case AES_CCM_MECH_INFO_TYPE:
952 case AES_GCM_MECH_INFO_TYPE:
953 case AES_GMAC_MECH_INFO_TYPE:
954 break;
955 default:
956 if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
957 return (CRYPTO_DATA_LEN_RANGE);
958 }
959
960 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
961 return (ret);
962
963 bzero(&aes_ctx, sizeof (aes_ctx_t));
964
965 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
966 crypto_kmflag(req), B_TRUE);
967 if (ret != CRYPTO_SUCCESS)
968 return (ret);
969
970 switch (mechanism->cm_type) {
971 case AES_CCM_MECH_INFO_TYPE:
972 length_needed = plaintext->cd_length + aes_ctx.ac_mac_len;
973 break;
974 case AES_GMAC_MECH_INFO_TYPE:
975 if (plaintext->cd_length != 0)
976 return (CRYPTO_ARGUMENTS_BAD);
977 /* FALLTHRU */
978 case AES_GCM_MECH_INFO_TYPE:
979 length_needed = plaintext->cd_length + aes_ctx.ac_tag_len;
980 break;
981 default:
982 length_needed = plaintext->cd_length;
983 }
984
985 /* return size of buffer needed to store output */
986 if (ciphertext->cd_length < length_needed) {
987 ciphertext->cd_length = length_needed;
988 ret = CRYPTO_BUFFER_TOO_SMALL;
989 goto out;
990 }
991
992 saved_offset = ciphertext->cd_offset;
993 saved_length = ciphertext->cd_length;
994
995 /*
996 * Do an update on the specified input data.
997 */
998 switch (plaintext->cd_format) {
999 case CRYPTO_DATA_RAW:
1000 ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext,
1001 aes_encrypt_contiguous_blocks, aes_copy_block64);
1002 break;
1003 case CRYPTO_DATA_UIO:
1004 ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext,
1005 aes_encrypt_contiguous_blocks, aes_copy_block64);
1006 break;
1007 default:
1008 ret = CRYPTO_ARGUMENTS_BAD;
1009 }
1010
1011 if (ret == CRYPTO_SUCCESS) {
1012 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1013 ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx,
1014 ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1015 aes_xor_block);
1016 if (ret != CRYPTO_SUCCESS)
1017 goto out;
1018 ASSERT(aes_ctx.ac_remainder_len == 0);
1019 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1020 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1021 ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx,
1022 ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1023 aes_copy_block, aes_xor_block);
1024 if (ret != CRYPTO_SUCCESS)
1025 goto out;
1026 ASSERT(aes_ctx.ac_remainder_len == 0);
1027 } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) {
1028 if (aes_ctx.ac_remainder_len > 0) {
1029 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1030 ciphertext, aes_encrypt_block);
1031 if (ret != CRYPTO_SUCCESS)
1032 goto out;
1033 }
1034 } else {
1035 ASSERT(aes_ctx.ac_remainder_len == 0);
1036 }
1037
1038 if (plaintext != ciphertext) {
1039 ciphertext->cd_length =
1040 ciphertext->cd_offset - saved_offset;
1041 }
1042 } else {
1043 ciphertext->cd_length = saved_length;
1044 }
1045 ciphertext->cd_offset = saved_offset;
1046
1047 out:
1048 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1049 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1050 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1051 }
1052
1053 return (ret);
1054 }
1055
1056 /* ARGSUSED */
1057 static int
1058 aes_decrypt_atomic(crypto_provider_handle_t provider,
1059 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1060 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1061 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1062 {
1063 aes_ctx_t aes_ctx; /* on the stack */
1064 off_t saved_offset;
1065 size_t saved_length;
1066 size_t length_needed;
1067 int ret;
1068
1069 AES_ARG_INPLACE(ciphertext, plaintext);
1070
1071 /*
1072 * CCM, GCM, CTR, and GMAC modes do not require that ciphertext
1073 * be a multiple of AES block size.
1074 */
1075 switch (mechanism->cm_type) {
1076 case AES_CTR_MECH_INFO_TYPE:
1077 case AES_CCM_MECH_INFO_TYPE:
1078 case AES_GCM_MECH_INFO_TYPE:
1079 case AES_GMAC_MECH_INFO_TYPE:
1080 break;
1081 default:
1082 if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1083 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1084 }
1085
1086 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1087 return (ret);
1088
1089 bzero(&aes_ctx, sizeof (aes_ctx_t));
1090
1091 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1092 crypto_kmflag(req), B_FALSE);
1093 if (ret != CRYPTO_SUCCESS)
1094 return (ret);
1095
1096 switch (mechanism->cm_type) {
1097 case AES_CCM_MECH_INFO_TYPE:
1098 length_needed = aes_ctx.ac_data_len;
1099 break;
1100 case AES_GCM_MECH_INFO_TYPE:
1101 length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len;
1102 break;
1103 case AES_GMAC_MECH_INFO_TYPE:
1104 if (plaintext->cd_length != 0)
1105 return (CRYPTO_ARGUMENTS_BAD);
1106 length_needed = 0;
1107 break;
1108 default:
1109 length_needed = ciphertext->cd_length;
1110 }
1111
1112 /* return size of buffer needed to store output */
1113 if (plaintext->cd_length < length_needed) {
1114 plaintext->cd_length = length_needed;
1115 ret = CRYPTO_BUFFER_TOO_SMALL;
1116 goto out;
1117 }
1118
1119 saved_offset = plaintext->cd_offset;
1120 saved_length = plaintext->cd_length;
1121
1122 if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1123 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE)
1124 gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req));
1125
1126 /*
1127 * Do an update on the specified input data.
1128 */
1129 switch (ciphertext->cd_format) {
1130 case CRYPTO_DATA_RAW:
1131 ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext,
1132 aes_decrypt_contiguous_blocks, aes_copy_block64);
1133 break;
1134 case CRYPTO_DATA_UIO:
1135 ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext,
1136 aes_decrypt_contiguous_blocks, aes_copy_block64);
1137 break;
1138 default:
1139 ret = CRYPTO_ARGUMENTS_BAD;
1140 }
1141
1142 if (ret == CRYPTO_SUCCESS) {
1143 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1144 ASSERT(aes_ctx.ac_processed_data_len
1145 == aes_ctx.ac_data_len);
1146 ASSERT(aes_ctx.ac_processed_mac_len
1147 == aes_ctx.ac_mac_len);
1148 ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx,
1149 plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1150 aes_copy_block, aes_xor_block);
1151 ASSERT(aes_ctx.ac_remainder_len == 0);
1152 if ((ret == CRYPTO_SUCCESS) &&
1153 (ciphertext != plaintext)) {
1154 plaintext->cd_length =
1155 plaintext->cd_offset - saved_offset;
1156 } else {
1157 plaintext->cd_length = saved_length;
1158 }
1159 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1160 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1161 ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx,
1162 plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1163 aes_xor_block);
1164 ASSERT(aes_ctx.ac_remainder_len == 0);
1165 if ((ret == CRYPTO_SUCCESS) &&
1166 (ciphertext != plaintext)) {
1167 plaintext->cd_length =
1168 plaintext->cd_offset - saved_offset;
1169 } else {
1170 plaintext->cd_length = saved_length;
1171 }
1172 } else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) {
1173 ASSERT(aes_ctx.ac_remainder_len == 0);
1174 if (ciphertext != plaintext)
1175 plaintext->cd_length =
1176 plaintext->cd_offset - saved_offset;
1177 } else {
1178 if (aes_ctx.ac_remainder_len > 0) {
1179 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1180 plaintext, aes_encrypt_block);
1181 if (ret == CRYPTO_DATA_LEN_RANGE)
1182 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
1183 if (ret != CRYPTO_SUCCESS)
1184 goto out;
1185 }
1186 if (ciphertext != plaintext)
1187 plaintext->cd_length =
1188 plaintext->cd_offset - saved_offset;
1189 }
1190 } else {
1191 plaintext->cd_length = saved_length;
1192 }
1193 plaintext->cd_offset = saved_offset;
1194
1195 out:
1196 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1197 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1198 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1199 }
1200
1201 if (aes_ctx.ac_flags & CCM_MODE) {
1202 if (aes_ctx.ac_pt_buf != NULL) {
1203 vmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len);
1204 }
1205 } else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) {
1206 if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) {
1207 vmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf,
1208 ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len);
1209 }
1210 }
1211
1212 return (ret);
1213 }
1214
1215 /*
1216 * KCF software provider context template entry points.
1217 */
1218 /* ARGSUSED */
1219 static int
1220 aes_create_ctx_template(crypto_provider_handle_t provider,
1221 crypto_mechanism_t *mechanism, crypto_key_t *key,
1222 crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
1223 {
1224 void *keysched;
1225 size_t size;
1226 int rv;
1227
1228 if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE &&
1229 mechanism->cm_type != AES_CBC_MECH_INFO_TYPE &&
1230 mechanism->cm_type != AES_CTR_MECH_INFO_TYPE &&
1231 mechanism->cm_type != AES_CCM_MECH_INFO_TYPE &&
1232 mechanism->cm_type != AES_GCM_MECH_INFO_TYPE &&
1233 mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE)
1234 return (CRYPTO_MECHANISM_INVALID);
1235
1236 if ((keysched = aes_alloc_keysched(&size,
1237 crypto_kmflag(req))) == NULL) {
1238 return (CRYPTO_HOST_MEMORY);
1239 }
1240
1241 /*
1242 * Initialize key schedule. Key length information is stored
1243 * in the key.
1244 */
1245 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1246 bzero(keysched, size);
1247 kmem_free(keysched, size);
1248 return (rv);
1249 }
1250
1251 *tmpl = keysched;
1252 *tmpl_size = size;
1253
1254 return (CRYPTO_SUCCESS);
1255 }
1256
1257
1258 static int
1259 aes_free_context(crypto_ctx_t *ctx)
1260 {
1261 aes_ctx_t *aes_ctx = ctx->cc_provider_private;
1262
1263 if (aes_ctx != NULL) {
1264 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1265 ASSERT(aes_ctx->ac_keysched_len != 0);
1266 bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
1267 kmem_free(aes_ctx->ac_keysched,
1268 aes_ctx->ac_keysched_len);
1269 }
1270 crypto_free_mode_ctx(aes_ctx);
1271 ctx->cc_provider_private = NULL;
1272 }
1273
1274 return (CRYPTO_SUCCESS);
1275 }
1276
1277
1278 static int
1279 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template,
1280 crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag,
1281 boolean_t is_encrypt_init)
1282 {
1283 int rv = CRYPTO_SUCCESS;
1284 void *keysched;
1285 size_t size;
1286
1287 if (template == NULL) {
1288 if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL)
1289 return (CRYPTO_HOST_MEMORY);
1290 /*
1291 * Initialize key schedule.
1292 * Key length is stored in the key.
1293 */
1294 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1295 kmem_free(keysched, size);
1296 return (rv);
1297 }
1298
1299 aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE;
1300 aes_ctx->ac_keysched_len = size;
1301 } else {
1302 keysched = template;
1303 }
1304 aes_ctx->ac_keysched = keysched;
1305
1306 switch (mechanism->cm_type) {
1307 case AES_CBC_MECH_INFO_TYPE:
1308 rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param,
1309 mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64);
1310 break;
1311 case AES_CTR_MECH_INFO_TYPE: {
1312 CK_AES_CTR_PARAMS *pp;
1313
1314 if (mechanism->cm_param == NULL ||
1315 mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) {
1316 return (CRYPTO_MECHANISM_PARAM_INVALID);
1317 }
1318 pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param;
1319 rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
1320 pp->cb, aes_copy_block);
1321 break;
1322 }
1323 case AES_CCM_MECH_INFO_TYPE:
1324 if (mechanism->cm_param == NULL ||
1325 mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) {
1326 return (CRYPTO_MECHANISM_PARAM_INVALID);
1327 }
1328 rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param,
1329 kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block,
1330 aes_xor_block);
1331 break;
1332 case AES_GCM_MECH_INFO_TYPE:
1333 if (mechanism->cm_param == NULL ||
1334 mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) {
1335 return (CRYPTO_MECHANISM_PARAM_INVALID);
1336 }
1337 rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1338 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1339 aes_xor_block);
1340 break;
1341 case AES_GMAC_MECH_INFO_TYPE:
1342 if (mechanism->cm_param == NULL ||
1343 mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) {
1344 return (CRYPTO_MECHANISM_PARAM_INVALID);
1345 }
1346 rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1347 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1348 aes_xor_block);
1349 break;
1350 case AES_ECB_MECH_INFO_TYPE:
1351 aes_ctx->ac_flags |= ECB_MODE;
1352 }
1353
1354 if (rv != CRYPTO_SUCCESS) {
1355 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1356 bzero(keysched, size);
1357 kmem_free(keysched, size);
1358 }
1359 }
1360
1361 return (rv);
1362 }
1363
1364 static int
1365 process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data,
1366 CK_AES_GCM_PARAMS *gcm_params)
1367 {
1368 /* LINTED: pointer alignment */
1369 CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param;
1370
1371 if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE)
1372 return (CRYPTO_MECHANISM_INVALID);
1373
1374 if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS))
1375 return (CRYPTO_MECHANISM_PARAM_INVALID);
1376
1377 if (params->pIv == NULL)
1378 return (CRYPTO_MECHANISM_PARAM_INVALID);
1379
1380 gcm_params->pIv = params->pIv;
1381 gcm_params->ulIvLen = AES_GMAC_IV_LEN;
1382 gcm_params->ulTagBits = AES_GMAC_TAG_BITS;
1383
1384 if (data == NULL)
1385 return (CRYPTO_SUCCESS);
1386
1387 if (data->cd_format != CRYPTO_DATA_RAW)
1388 return (CRYPTO_ARGUMENTS_BAD);
1389
1390 gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base;
1391 gcm_params->ulAADLen = data->cd_length;
1392 return (CRYPTO_SUCCESS);
1393 }
1394
1395 static int
1396 aes_mac_atomic(crypto_provider_handle_t provider,
1397 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1398 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1399 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1400 {
1401 CK_AES_GCM_PARAMS gcm_params;
1402 crypto_mechanism_t gcm_mech;
1403 int rv;
1404
1405 if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1406 != CRYPTO_SUCCESS)
1407 return (rv);
1408
1409 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1410 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1411 gcm_mech.cm_param = (char *)&gcm_params;
1412
1413 return (aes_encrypt_atomic(provider, session_id, &gcm_mech,
1414 key, &null_crypto_data, mac, template, req));
1415 }
1416
1417 static int
1418 aes_mac_verify_atomic(crypto_provider_handle_t provider,
1419 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1420 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1421 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1422 {
1423 CK_AES_GCM_PARAMS gcm_params;
1424 crypto_mechanism_t gcm_mech;
1425 int rv;
1426
1427 if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1428 != CRYPTO_SUCCESS)
1429 return (rv);
1430
1431 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1432 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1433 gcm_mech.cm_param = (char *)&gcm_params;
1434
1435 return (aes_decrypt_atomic(provider, session_id, &gcm_mech,
1436 key, mac, &null_crypto_data, template, req));
1437 }
ZFS On Linux mirror for PVE