2 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
5 * STREAMS Crypto Module
7 * This module is used to facilitate Kerberos encryption
8 * operations for the telnet daemon and rlogin daemon.
9 * Because the Solaris telnet and rlogin daemons run mostly
10 * in-kernel via 'telmod' and 'rlmod', this module must be
11 * pushed on the STREAM *below* telmod or rlmod.
13 * Parts of the 3DES key derivation code are covered by the
14 * following copyright.
16 * Copyright (C) 1998 by the FundsXpress, INC.
18 * All rights reserved.
20 * Export of this software from the United States of America may require
21 * a specific license from the United States Government. It is the
22 * responsibility of any person or organization contemplating export to
23 * obtain such a license before exporting.
25 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
26 * distribute this software and its documentation for any purpose and
27 * without fee is hereby granted, provided that the above copyright
28 * notice appear in all copies and that both that copyright notice and
29 * this permission notice appear in supporting documentation, and that
30 * the name of FundsXpress. not be used in advertising or publicity pertaining
31 * to distribution of the software without specific, written prior
32 * permission. FundsXpress makes no representations about the suitability of
33 * this software for any purpose. It is provided "as is" without express
34 * or implied warranty.
36 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
37 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
38 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
41 #include <sys/types.h>
42 #include <sys/sysmacros.h>
43 #include <sys/errno.h>
44 #include <sys/debug.h>
46 #include <sys/stropts.h>
47 #include <sys/stream.h>
48 #include <sys/strsubr.h>
49 #include <sys/strlog.h>
50 #include <sys/cmn_err.h>
52 #include <sys/sunddi.h>
54 #include <sys/strsun.h>
55 #include <sys/random.h>
56 #include <sys/types.h>
57 #include <sys/byteorder.h>
58 #include <sys/cryptmod.h>
59 #include <sys/crc32.h>
60 #include <sys/policy.h>
62 #include <sys/crypto/api.h>
65 * Function prototypes.
67 static int cryptmodopen(queue_t
*, dev_t
*, int, int, cred_t
*);
68 static void cryptmodrput(queue_t
*, mblk_t
*);
69 static void cryptmodwput(queue_t
*, mblk_t
*);
70 static int cryptmodclose(queue_t
*);
71 static int cryptmodwsrv(queue_t
*);
72 static int cryptmodrsrv(queue_t
*);
74 static mblk_t
*do_encrypt(queue_t
*q
, mblk_t
*mp
);
75 static mblk_t
*do_decrypt(queue_t
*q
, mblk_t
*mp
);
77 #define CRYPTMOD_ID 5150
83 static struct module_info cryptmod_minfo
= {
84 CRYPTMOD_ID
, /* mi_idnum */
85 "cryptmod", /* mi_idname */
87 INFPSZ
, /* mi_maxpsz */
92 static struct qinit cryptmod_rinit
= {
93 (int (*)())cryptmodrput
, /* qi_putp */
94 cryptmodrsrv
, /* qi_svc */
95 cryptmodopen
, /* qi_qopen */
96 cryptmodclose
, /* qi_qclose */
98 &cryptmod_minfo
, /* qi_minfo */
102 static struct qinit cryptmod_winit
= {
103 (int (*)())cryptmodwput
, /* qi_putp */
104 cryptmodwsrv
, /* qi_srvp */
106 NULL
, /* qi_qclose */
107 NULL
, /* qi_qadmin */
108 &cryptmod_minfo
, /* qi_minfo */
112 static struct streamtab cryptmod_info
= {
113 &cryptmod_rinit
, /* st_rdinit */
114 &cryptmod_winit
, /* st_wrinit */
115 NULL
, /* st_muxrinit */
116 NULL
/* st_muxwinit */
125 #define MAX_CKSUM_LEN 20
126 #define CONFOUNDER_LEN 8
128 #define SHA1_HASHSIZE 20
129 #define MD5_HASHSIZE 16
130 #define CRC32_HASHSIZE 4
131 #define MSGBUF_SIZE 4096
132 #define CONFOUNDER_BYTES 128
135 static int crc32_calc(uchar_t
*, uchar_t
*, uint_t
);
136 static int md5_calc(uchar_t
*, uchar_t
*, uint_t
);
137 static int sha1_calc(uchar_t
*, uchar_t
*, uint_t
);
139 static hash_info_t null_hash
= {0, 0, NULL
};
140 static hash_info_t crc32_hash
= {CRC32_HASHSIZE
, CONFOUNDER_LEN
, crc32_calc
};
141 static hash_info_t md5_hash
= {MD5_HASHSIZE
, CONFOUNDER_LEN
, md5_calc
};
142 static hash_info_t sha1_hash
= {SHA1_HASHSIZE
, CONFOUNDER_LEN
, sha1_calc
};
144 static crypto_mech_type_t sha1_hmac_mech
= CRYPTO_MECH_INVALID
;
145 static crypto_mech_type_t md5_hmac_mech
= CRYPTO_MECH_INVALID
;
146 static crypto_mech_type_t sha1_hash_mech
= CRYPTO_MECH_INVALID
;
147 static crypto_mech_type_t md5_hash_mech
= CRYPTO_MECH_INVALID
;
149 static int kef_crypt(struct cipher_data_t
*, void *,
150 crypto_data_format_t
, size_t, int);
152 arcfour_hmac_md5_encrypt(queue_t
*, struct tmodinfo
*,
153 mblk_t
*, hash_info_t
*);
155 arcfour_hmac_md5_decrypt(queue_t
*, struct tmodinfo
*,
156 mblk_t
*, hash_info_t
*);
159 do_hmac(crypto_mech_type_t
, crypto_key_t
*, char *, int, char *, int);
162 * This is the loadable module wrapper.
164 #include <sys/modctl.h>
166 static struct fmodsw fsw
= {
173 * Module linkage information for the kernel.
175 static struct modlstrmod modlstrmod
= {
177 "STREAMS encryption module",
181 static struct modlinkage modlinkage
= {
190 return (mod_install(&modlinkage
));
196 return (mod_remove(&modlinkage
));
200 _info(struct modinfo
*modinfop
)
202 return (mod_info(&modlinkage
, modinfop
));
206 cleanup(struct cipher_data_t
*cd
)
208 if (cd
->key
!= NULL
) {
209 bzero(cd
->key
, cd
->keylen
);
210 kmem_free(cd
->key
, cd
->keylen
);
214 if (cd
->ckey
!= NULL
) {
216 * ckey is a crypto_key_t structure which references
217 * "cd->key" for its raw key data. Since that was already
218 * cleared out, we don't need another "bzero" here.
220 kmem_free(cd
->ckey
, sizeof (crypto_key_t
));
224 if (cd
->block
!= NULL
) {
225 kmem_free(cd
->block
, cd
->blocklen
);
229 if (cd
->saveblock
!= NULL
) {
230 kmem_free(cd
->saveblock
, cd
->blocklen
);
231 cd
->saveblock
= NULL
;
234 if (cd
->ivec
!= NULL
) {
235 kmem_free(cd
->ivec
, cd
->ivlen
);
239 if (cd
->d_encr_key
.ck_data
!= NULL
) {
240 bzero(cd
->d_encr_key
.ck_data
, cd
->keylen
);
241 kmem_free(cd
->d_encr_key
.ck_data
, cd
->keylen
);
244 if (cd
->d_hmac_key
.ck_data
!= NULL
) {
245 bzero(cd
->d_hmac_key
.ck_data
, cd
->keylen
);
246 kmem_free(cd
->d_hmac_key
.ck_data
, cd
->keylen
);
249 if (cd
->enc_tmpl
!= NULL
)
250 (void) crypto_destroy_ctx_template(cd
->enc_tmpl
);
252 if (cd
->hmac_tmpl
!= NULL
)
253 (void) crypto_destroy_ctx_template(cd
->hmac_tmpl
);
255 if (cd
->ctx
!= NULL
) {
256 crypto_cancel_ctx(cd
->ctx
);
263 cryptmodopen(queue_t
*rq
, dev_t
*dev
, int oflag
, int sflag
, cred_t
*crp
)
265 struct tmodinfo
*tmi
;
268 if (sflag
!= MODOPEN
)
271 (void) (STRLOG(CRYPTMOD_ID
, 0, 5, SL_TRACE
|SL_NOTE
,
272 "cryptmodopen: opening module(PID %d)",
275 if (rq
->q_ptr
!= NULL
) {
276 cmn_err(CE_WARN
, "cryptmodopen: already opened");
281 * Allocate and initialize per-Stream structure.
283 tmi
= kmem_zalloc(sizeof (struct tmodinfo
), KM_SLEEP
);
285 tmi
->enc_data
.method
= CRYPT_METHOD_NONE
;
286 tmi
->dec_data
.method
= CRYPT_METHOD_NONE
;
288 tmi
->ready
= (CRYPT_READ_READY
| CRYPT_WRITE_READY
);
290 rq
->q_ptr
= WR(rq
)->q_ptr
= tmi
;
292 sha1_hmac_mech
= crypto_mech2id(SUN_CKM_SHA1_HMAC
);
293 md5_hmac_mech
= crypto_mech2id(SUN_CKM_MD5_HMAC
);
294 sha1_hash_mech
= crypto_mech2id(SUN_CKM_SHA1
);
295 md5_hash_mech
= crypto_mech2id(SUN_CKM_MD5
);
303 cryptmodclose(queue_t
*rq
)
305 struct tmodinfo
*tmi
= (struct tmodinfo
*)rq
->q_ptr
;
310 cleanup(&tmi
->enc_data
);
311 cleanup(&tmi
->dec_data
);
313 kmem_free(tmi
, sizeof (struct tmodinfo
));
314 rq
->q_ptr
= WR(rq
)->q_ptr
= NULL
;
322 * Calculate exactly how much space is needed in front
323 * of the "plaintext" in an mbuf so it can be positioned
324 * 1 time instead of potentially moving the data multiple
328 plaintext_offset(struct cipher_data_t
*cd
)
332 /* 4 byte length prepended to all RCMD msgs */
333 if (ANY_RCMD_MODE(cd
->option_mask
))
334 headspace
+= RCMD_LEN_SZ
;
336 /* RCMD V2 mode adds an additional 4 byte plaintext length */
337 if (cd
->option_mask
& CRYPTOPT_RCMD_MODE_V2
)
338 headspace
+= RCMD_LEN_SZ
;
340 /* Need extra space for hash and counfounder */
341 switch (cd
->method
) {
342 case CRYPT_METHOD_DES_CBC_NULL
:
343 headspace
+= null_hash
.hash_len
+ null_hash
.confound_len
;
345 case CRYPT_METHOD_DES_CBC_CRC
:
346 headspace
+= crc32_hash
.hash_len
+ crc32_hash
.confound_len
;
348 case CRYPT_METHOD_DES_CBC_MD5
:
349 headspace
+= md5_hash
.hash_len
+ md5_hash
.confound_len
;
351 case CRYPT_METHOD_DES3_CBC_SHA1
:
352 headspace
+= sha1_hash
.confound_len
;
354 case CRYPT_METHOD_ARCFOUR_HMAC_MD5
:
355 headspace
+= md5_hash
.hash_len
+ md5_hash
.confound_len
;
357 case CRYPT_METHOD_AES128
:
358 case CRYPT_METHOD_AES256
:
359 headspace
+= DEFAULT_AES_BLOCKLEN
;
361 case CRYPT_METHOD_DES_CFB
:
362 case CRYPT_METHOD_NONE
:
371 * Calculate the resulting size when encrypting 'plainlen' bytes
375 encrypt_size(struct cipher_data_t
*cd
, size_t plainlen
)
379 switch (cd
->method
) {
380 case CRYPT_METHOD_DES_CBC_NULL
:
381 cipherlen
= (size_t)P2ROUNDUP(null_hash
.hash_len
+
384 case CRYPT_METHOD_DES_CBC_MD5
:
385 cipherlen
= (size_t)P2ROUNDUP(md5_hash
.hash_len
+
386 md5_hash
.confound_len
+
389 case CRYPT_METHOD_DES_CBC_CRC
:
390 cipherlen
= (size_t)P2ROUNDUP(crc32_hash
.hash_len
+
391 crc32_hash
.confound_len
+
394 case CRYPT_METHOD_DES3_CBC_SHA1
:
395 cipherlen
= (size_t)P2ROUNDUP(sha1_hash
.confound_len
+
399 case CRYPT_METHOD_ARCFOUR_HMAC_MD5
:
400 cipherlen
= (size_t)P2ROUNDUP(md5_hash
.confound_len
+
401 plainlen
, 1) + md5_hash
.hash_len
;
403 case CRYPT_METHOD_AES128
:
404 case CRYPT_METHOD_AES256
:
405 /* No roundup for AES-CBC-CTS */
406 cipherlen
= DEFAULT_AES_BLOCKLEN
+ plainlen
+
407 AES_TRUNCATED_HMAC_LEN
;
409 case CRYPT_METHOD_DES_CFB
:
410 case CRYPT_METHOD_NONE
:
411 cipherlen
= plainlen
;
421 * Encrypt the mblk data using DES with cipher feedback.
423 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
424 * vector, D[n] is the nth chunk of 64 bits of data to encrypt
425 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
426 * (decrypted) data, then:
428 * V[0] = DES(V[i], key)
429 * O[n] = D[n] <exclusive or > V[n]
430 * V[n+1] = DES(O[n], key)
432 * The size of the message being encrypted does not change in this
433 * algorithm, num_bytes in == num_bytes out.
436 des_cfb_encrypt(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
)
439 char *iptr
, *optr
, *lastoutput
;
441 lastoutput
= optr
= (char *)mp
->b_rptr
;
442 iptr
= (char *)mp
->b_rptr
;
443 savedbytes
= tmi
->enc_data
.bytes
% CFB_BLKSZ
;
445 while (iptr
< (char *)mp
->b_wptr
) {
448 * The first time this runs, the 'tmi->enc_data.block' will
449 * contain the initialization vector that should have been
450 * passed in with the SETUP ioctl.
452 * V[n] = DES(V[n-1], key)
454 if (!(tmi
->enc_data
.bytes
% CFB_BLKSZ
)) {
456 retval
= kef_crypt(&tmi
->enc_data
,
459 tmi
->enc_data
.blocklen
,
462 if (retval
!= CRYPTO_SUCCESS
) {
464 cmn_err(CE_WARN
, "des_cfb_encrypt: kef_crypt "
465 "failed - error 0x%0x", retval
);
467 mp
->b_datap
->db_type
= M_ERROR
;
468 mp
->b_rptr
= mp
->b_datap
->db_base
;
470 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
478 /* O[n] = I[n] ^ V[n] */
479 *(optr
++) = *(iptr
++) ^
480 tmi
->enc_data
.block
[tmi
->enc_data
.bytes
% CFB_BLKSZ
];
482 tmi
->enc_data
.bytes
++;
484 * Feedback the encrypted output as the input to next DES call.
486 if (!(tmi
->enc_data
.bytes
% CFB_BLKSZ
)) {
487 char *dbptr
= tmi
->enc_data
.block
;
489 * Get the last bits of input from the previous
490 * msg block that we haven't yet used as feedback input.
492 if (savedbytes
> 0) {
493 bcopy(tmi
->enc_data
.saveblock
,
494 dbptr
, (size_t)savedbytes
);
499 * Now copy the correct bytes from the current input
500 * stream and update the 'lastoutput' ptr
502 bcopy(lastoutput
, dbptr
,
503 (size_t)(CFB_BLKSZ
- savedbytes
));
505 lastoutput
+= (CFB_BLKSZ
- savedbytes
);
510 * If there are bytes of input here that we need in the next
511 * block to build an ivec, save them off here.
513 if (lastoutput
< optr
) {
515 tmi
->enc_data
.saveblock
+ savedbytes
,
516 (uint_t
)(optr
- lastoutput
));
524 * Decrypt the data in the mblk using DES in Cipher Feedback mode
526 * # bytes in == # bytes out, no padding, confounding, or hashing
531 des_cfb_decrypt(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
)
541 /* decrypted output goes into the new data buffer */
542 lastinput
= iptr
= (char *)mp
->b_rptr
;
544 savedbytes
= tmi
->dec_data
.bytes
% tmi
->dec_data
.blocklen
;
547 * Save the input CFB_BLKSZ bytes at a time.
548 * We are trying to decrypt in-place, but need to keep
549 * a small sliding window of encrypted text to be
550 * used to construct the feedback buffer.
552 cp
= ((tmi
->dec_data
.blocklen
- savedbytes
) > len
? len
:
553 tmi
->dec_data
.blocklen
- savedbytes
);
555 bcopy(lastinput
, tmi
->dec_data
.saveblock
+ savedbytes
, cp
);
560 while (iptr
< (char *)mp
->b_wptr
) {
563 * The first time this runs, the 'tmi->dec_data.block' will
564 * contain the initialization vector that should have been
565 * passed in with the SETUP ioctl.
567 if (!(tmi
->dec_data
.bytes
% CFB_BLKSZ
)) {
569 retval
= kef_crypt(&tmi
->dec_data
,
572 tmi
->dec_data
.blocklen
,
575 if (retval
!= CRYPTO_SUCCESS
) {
577 cmn_err(CE_WARN
, "des_cfb_decrypt: kef_crypt "
578 "failed - status 0x%0x", retval
);
580 mp
->b_datap
->db_type
= M_ERROR
;
581 mp
->b_rptr
= mp
->b_datap
->db_base
;
583 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
592 * To decrypt, XOR the input with the output from the DES call
594 *(iptr
++) ^= tmi
->dec_data
.block
[tmi
->dec_data
.bytes
%
597 tmi
->dec_data
.bytes
++;
600 * Feedback the encrypted input for next DES call.
602 if (!(tmi
->dec_data
.bytes
% tmi
->dec_data
.blocklen
)) {
603 char *dbptr
= tmi
->dec_data
.block
;
605 * Get the last bits of input from the previous block
606 * that we haven't yet processed.
608 if (savedbytes
> 0) {
609 bcopy(tmi
->dec_data
.saveblock
,
617 * This block makes sure that our local
618 * buffer of input data is full and can
619 * be accessed from the beginning.
621 if (lastinput
< (char *)mp
->b_wptr
) {
623 /* How many bytes are left in the mblk? */
624 cp
= (((char *)mp
->b_wptr
- lastinput
) >
625 tmi
->dec_data
.blocklen
?
626 tmi
->dec_data
.blocklen
:
627 (char *)mp
->b_wptr
- lastinput
);
629 /* copy what we need */
630 bcopy(lastinput
, tmi
->dec_data
.saveblock
,
645 * Compute a CRC32 checksum on the input
648 crc32_calc(uchar_t
*buf
, uchar_t
*input
, uint_t len
)
652 CRC32(crc
, input
, len
, 0, crc32_table
);
654 buf
[0] = (uchar_t
)(crc
& 0xff);
655 buf
[1] = (uchar_t
)((crc
>> 8) & 0xff);
656 buf
[2] = (uchar_t
)((crc
>> 16) & 0xff);
657 buf
[3] = (uchar_t
)((crc
>> 24) & 0xff);
659 return (CRYPTO_SUCCESS
);
663 kef_digest(crypto_mech_type_t digest_type
,
664 uchar_t
*input
, uint_t inlen
,
665 uchar_t
*output
, uint_t hashlen
)
668 crypto_data_t d1
, d2
;
669 crypto_mechanism_t mech
;
672 mech
.cm_type
= digest_type
;
674 mech
.cm_param_len
= 0;
676 v1
.iov_base
= (void *)input
;
679 d1
.cd_format
= CRYPTO_DATA_RAW
;
681 d1
.cd_length
= v1
.iov_len
;
684 v2
.iov_base
= (void *)output
;
685 v2
.iov_len
= hashlen
;
687 d2
.cd_format
= CRYPTO_DATA_RAW
;
689 d2
.cd_length
= v2
.iov_len
;
692 rv
= crypto_digest(&mech
, &d1
, &d2
, NULL
);
700 * Get a SHA1 hash on the input data.
703 sha1_calc(uchar_t
*output
, uchar_t
*input
, uint_t inlen
)
707 rv
= kef_digest(sha1_hash_mech
, input
, inlen
, output
, SHA1_HASHSIZE
);
713 * Get an MD5 hash on the input data.
718 md5_calc(uchar_t
*output
, uchar_t
*input
, uint_t inlen
)
722 rv
= kef_digest(md5_hash_mech
, input
, inlen
, output
, MD5_HASHSIZE
);
729 * duplicate the functionality of the krb5_nfold function from
730 * the userland kerberos mech.
731 * This is needed to derive keys for use with 3DES/SHA1-HMAC
735 nfold(int inbits
, uchar_t
*in
, int outbits
, uchar_t
*out
)
743 /* first compute lcm(n,k) */
753 lcm
= outbits
*inbits
/a
;
755 /* now do the real work */
761 * Compute the msbit in k which gets added into this byte
762 * first, start with the msbit in the first, unrotated byte
763 * then, for each byte, shift to the right for each repetition
764 * last, pick out the correct byte within that shifted repetition
766 for (i
= lcm
-1; i
>= 0; i
--) {
767 msbit
= (((inbits
<<3)-1)
768 +(((inbits
<<3)+13)*(i
/inbits
))
769 +((inbits
-(i
%inbits
))<<3)) %(inbits
<<3);
771 /* pull out the byte value itself */
772 byte
+= (((in
[((inbits
-1)-(msbit
>>3))%inbits
]<<8)|
773 (in
[((inbits
)-(msbit
>>3))%inbits
]))
774 >>((msbit
&7)+1))&0xff;
776 /* do the addition */
777 byte
+= out
[i
%outbits
];
778 out
[i
%outbits
] = byte
&0xff;
783 /* if there's a carry bit left over, add it back in */
785 for (i
= outbits
-1; i
>= 0; i
--) {
786 /* do the addition */
790 /* keep around the carry bit, if any */
796 #define smask(step) ((1<<step)-1)
797 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
798 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
801 * Duplicate the functionality of the "dk_derive_key" function
802 * in the Kerberos mechanism.
805 derive_key(struct cipher_data_t
*cdata
, uchar_t
*constdata
,
806 int constlen
, char *dkey
, int keybytes
,
816 inblock
= kmem_zalloc(blocklen
, KM_SLEEP
);
817 rawkey
= kmem_zalloc(keybytes
, KM_SLEEP
);
818 zeroblock
= kmem_zalloc(blocklen
, KM_SLEEP
);
820 if (constlen
== blocklen
)
821 bcopy(constdata
, inblock
, blocklen
);
823 nfold(constlen
* 8, constdata
,
824 blocklen
* 8, (uchar_t
*)inblock
);
827 * zeroblock is an IV of all 0's.
829 * The "block" section of the cdata record is used as the
830 * IV for crypto operations in the kef_crypt function.
832 * We use 'block' as a generic IV data buffer because it
833 * is attached to the stream state data and thus can
834 * be used to hold information that must carry over
835 * from processing of one mblk to another.
837 * Here, we save the current IV and replace it with
838 * and empty IV (all 0's) for use when deriving the
839 * keys. Once the key derivation is done, we swap the
840 * old IV back into place.
842 saveblock
= cdata
->block
;
843 cdata
->block
= zeroblock
;
845 while (n
< keybytes
) {
846 rv
= kef_crypt(cdata
, inblock
, CRYPTO_DATA_RAW
,
847 blocklen
, CRYPT_ENCRYPT
);
848 if (rv
!= CRYPTO_SUCCESS
) {
849 /* put the original IV block back in place */
850 cdata
->block
= saveblock
;
851 cmn_err(CE_WARN
, "failed to derive a key: %0x", rv
);
855 if (keybytes
- n
< blocklen
) {
856 bcopy(inblock
, rawkey
+n
, (keybytes
-n
));
859 bcopy(inblock
, rawkey
+n
, blocklen
);
862 /* put the original IV block back in place */
863 cdata
->block
= saveblock
;
865 /* finally, make the key */
866 if (cdata
->method
== CRYPT_METHOD_DES3_CBC_SHA1
) {
868 * 3DES key derivation requires that we make sure the
869 * key has the proper parity.
871 for (i
= 0; i
< 3; i
++) {
872 bcopy(rawkey
+(i
*7), dkey
+(i
*8), 7);
874 /* 'dkey' is our derived key output buffer */
875 dkey
[i
*8+7] = (((dkey
[i
*8]&1)<<1) |
876 ((dkey
[i
*8+1]&1)<<2) |
877 ((dkey
[i
*8+2]&1)<<3) |
878 ((dkey
[i
*8+3]&1)<<4) |
879 ((dkey
[i
*8+4]&1)<<5) |
880 ((dkey
[i
*8+5]&1)<<6) |
881 ((dkey
[i
*8+6]&1)<<7));
883 for (n
= 0; n
< 8; n
++) {
884 dkey
[i
*8 + n
] &= 0xfe;
885 dkey
[i
*8 + n
] |= 1^parity_char(dkey
[i
*8 + n
]);
888 } else if (IS_AES_METHOD(cdata
->method
)) {
889 bcopy(rawkey
, dkey
, keybytes
);
892 kmem_free(inblock
, blocklen
);
893 kmem_free(zeroblock
, blocklen
);
894 kmem_free(rawkey
, keybytes
);
899 * create_derived_keys
901 * Algorithm for deriving a new key and an HMAC key
902 * before computing the 3DES-SHA1-HMAC operation on the plaintext
903 * This algorithm matches the work done by Kerberos mechanism
907 create_derived_keys(struct cipher_data_t
*cdata
, uint32_t usage
,
908 crypto_key_t
*enckey
, crypto_key_t
*hmackey
)
910 uchar_t constdata
[K5CLENGTH
];
914 constdata
[0] = (usage
>>24)&0xff;
915 constdata
[1] = (usage
>>16)&0xff;
916 constdata
[2] = (usage
>>8)&0xff;
917 constdata
[3] = usage
& 0xff;
918 /* Use "0xAA" for deriving encryption key */
919 constdata
[4] = 0xAA; /* from MIT Kerberos code */
921 enckey
->ck_length
= cdata
->keylen
* 8;
922 enckey
->ck_format
= CRYPTO_KEY_RAW
;
923 enckey
->ck_data
= kmem_zalloc(cdata
->keylen
, KM_SLEEP
);
925 switch (cdata
->method
) {
926 case CRYPT_METHOD_DES_CFB
:
927 case CRYPT_METHOD_DES_CBC_NULL
:
928 case CRYPT_METHOD_DES_CBC_MD5
:
929 case CRYPT_METHOD_DES_CBC_CRC
:
932 case CRYPT_METHOD_DES3_CBC_SHA1
:
933 keybytes
= CRYPT_DES3_KEYBYTES
;
935 case CRYPT_METHOD_ARCFOUR_HMAC_MD5
:
936 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP
:
937 keybytes
= CRYPT_ARCFOUR_KEYBYTES
;
939 case CRYPT_METHOD_AES128
:
940 keybytes
= CRYPT_AES128_KEYBYTES
;
942 case CRYPT_METHOD_AES256
:
943 keybytes
= CRYPT_AES256_KEYBYTES
;
947 /* derive main crypto key */
948 rv
= derive_key(cdata
, constdata
, sizeof (constdata
),
949 enckey
->ck_data
, keybytes
, cdata
->blocklen
);
951 if (rv
== CRYPTO_SUCCESS
) {
953 /* Use "0x55" for deriving mac key */
956 hmackey
->ck_length
= cdata
->keylen
* 8;
957 hmackey
->ck_format
= CRYPTO_KEY_RAW
;
958 hmackey
->ck_data
= kmem_zalloc(cdata
->keylen
, KM_SLEEP
);
960 rv
= derive_key(cdata
, constdata
, sizeof (constdata
),
961 hmackey
->ck_data
, keybytes
,
964 cmn_err(CE_WARN
, "failed to derive crypto key: %02x", rv
);
971 * Compute 3-DES crypto and HMAC.
974 kef_decr_hmac(struct cipher_data_t
*cdata
,
975 mblk_t
*mp
, int length
,
976 char *hmac
, int hmaclen
)
978 int rv
= CRYPTO_FAILED
;
980 crypto_mechanism_t encr_mech
;
981 crypto_mechanism_t mac_mech
;
986 ASSERT(cdata
!= NULL
);
988 ASSERT(hmac
!= NULL
);
990 bzero(&dd
, sizeof (dd
));
991 dd
.cd_format
= CRYPTO_DATA_MBLK
;
993 dd
.cd_length
= length
;
997 v1
.iov_len
= hmaclen
;
999 mac
.cd_format
= CRYPTO_DATA_RAW
;
1001 mac
.cd_length
= hmaclen
;
1005 * cdata->block holds the IVEC
1007 encr_mech
.cm_type
= cdata
->mech_type
;
1008 encr_mech
.cm_param
= cdata
->block
;
1010 if (cdata
->block
!= NULL
)
1011 encr_mech
.cm_param_len
= cdata
->blocklen
;
1013 encr_mech
.cm_param_len
= 0;
1015 rv
= crypto_decrypt(&encr_mech
, &dd
, &cdata
->d_encr_key
,
1016 cdata
->enc_tmpl
, NULL
, NULL
);
1017 if (rv
!= CRYPTO_SUCCESS
) {
1018 cmn_err(CE_WARN
, "crypto_decrypt failed: %0x", rv
);
1022 mac_mech
.cm_type
= sha1_hmac_mech
;
1023 mac_mech
.cm_param
= NULL
;
1024 mac_mech
.cm_param_len
= 0;
1027 * Compute MAC of the plaintext decrypted above.
1029 rv
= crypto_mac(&mac_mech
, &dd
, &cdata
->d_hmac_key
,
1030 cdata
->hmac_tmpl
, &mac
, NULL
);
1032 if (rv
!= CRYPTO_SUCCESS
) {
1033 cmn_err(CE_WARN
, "crypto_mac failed: %0x", rv
);
1040 * Compute 3-DES crypto and HMAC.
1043 kef_encr_hmac(struct cipher_data_t
*cdata
,
1044 mblk_t
*mp
, int length
,
1045 char *hmac
, int hmaclen
)
1047 int rv
= CRYPTO_FAILED
;
1049 crypto_mechanism_t encr_mech
;
1050 crypto_mechanism_t mac_mech
;
1055 ASSERT(cdata
!= NULL
);
1057 ASSERT(hmac
!= NULL
);
1059 bzero(&dd
, sizeof (dd
));
1060 dd
.cd_format
= CRYPTO_DATA_MBLK
;
1062 dd
.cd_length
= length
;
1066 v1
.iov_len
= hmaclen
;
1068 mac
.cd_format
= CRYPTO_DATA_RAW
;
1070 mac
.cd_length
= hmaclen
;
1074 * cdata->block holds the IVEC
1076 encr_mech
.cm_type
= cdata
->mech_type
;
1077 encr_mech
.cm_param
= cdata
->block
;
1079 if (cdata
->block
!= NULL
)
1080 encr_mech
.cm_param_len
= cdata
->blocklen
;
1082 encr_mech
.cm_param_len
= 0;
1084 mac_mech
.cm_type
= sha1_hmac_mech
;
1085 mac_mech
.cm_param
= NULL
;
1086 mac_mech
.cm_param_len
= 0;
1088 rv
= crypto_mac(&mac_mech
, &dd
, &cdata
->d_hmac_key
,
1089 cdata
->hmac_tmpl
, &mac
, NULL
);
1091 if (rv
!= CRYPTO_SUCCESS
) {
1092 cmn_err(CE_WARN
, "crypto_mac failed: %0x", rv
);
1096 rv
= crypto_encrypt(&encr_mech
, &dd
, &cdata
->d_encr_key
,
1097 cdata
->enc_tmpl
, NULL
, NULL
);
1098 if (rv
!= CRYPTO_SUCCESS
) {
1099 cmn_err(CE_WARN
, "crypto_encrypt failed: %0x", rv
);
1108 * Use the Kernel encryption framework to provide the
1109 * crypto operations for the indicated data.
1112 kef_crypt(struct cipher_data_t
*cdata
,
1113 void *indata
, crypto_data_format_t fmt
,
1114 size_t length
, int mode
)
1116 int rv
= CRYPTO_FAILED
;
1118 crypto_mechanism_t mech
;
1123 ASSERT(cdata
!= NULL
);
1124 ASSERT(indata
!= NULL
);
1125 ASSERT(fmt
== CRYPTO_DATA_RAW
|| fmt
== CRYPTO_DATA_MBLK
);
1127 bzero(&crkey
, sizeof (crkey
));
1128 bzero(&d1
, sizeof (d1
));
1130 crkey
.ck_format
= CRYPTO_KEY_RAW
;
1131 crkey
.ck_data
= cdata
->key
;
1133 /* keys are measured in bits, not bytes, so multiply by 8 */
1134 crkey
.ck_length
= cdata
->keylen
* 8;
1136 if (fmt
== CRYPTO_DATA_RAW
) {
1137 v1
.iov_base
= (char *)indata
;
1138 v1
.iov_len
= length
;
1143 d1
.cd_length
= length
;
1144 if (fmt
== CRYPTO_DATA_RAW
)
1146 else if (fmt
== CRYPTO_DATA_MBLK
)
1147 d1
.cd_mp
= (mblk_t
*)indata
;
1149 mech
.cm_type
= cdata
->mech_type
;
1150 mech
.cm_param
= cdata
->block
;
1152 * cdata->block holds the IVEC
1154 if (cdata
->block
!= NULL
)
1155 mech
.cm_param_len
= cdata
->blocklen
;
1157 mech
.cm_param_len
= 0;
1160 * encrypt and decrypt in-place
1162 if (mode
== CRYPT_ENCRYPT
)
1163 rv
= crypto_encrypt(&mech
, &d1
, &crkey
, NULL
, NULL
, NULL
);
1165 rv
= crypto_decrypt(&mech
, &d1
, &crkey
, NULL
, NULL
, NULL
);
1167 if (rv
!= CRYPTO_SUCCESS
) {
1168 cmn_err(CE_WARN
, "%s returned error %08x",
1169 (mode
== CRYPT_ENCRYPT
? "crypto_encrypt" :
1170 "crypto_decrypt"), rv
);
1171 return (CRYPTO_FAILED
);
1178 do_hmac(crypto_mech_type_t mech
,
1180 char *data
, int datalen
,
1181 char *hmac
, int hmaclen
)
1184 crypto_mechanism_t mac_mech
;
1187 iovec_t vdata
, vmac
;
1189 mac_mech
.cm_type
= mech
;
1190 mac_mech
.cm_param
= NULL
;
1191 mac_mech
.cm_param_len
= 0;
1193 vdata
.iov_base
= data
;
1194 vdata
.iov_len
= datalen
;
1196 bzero(&dd
, sizeof (dd
));
1197 dd
.cd_format
= CRYPTO_DATA_RAW
;
1199 dd
.cd_length
= datalen
;
1202 vmac
.iov_base
= hmac
;
1203 vmac
.iov_len
= hmaclen
;
1205 mac
.cd_format
= CRYPTO_DATA_RAW
;
1207 mac
.cd_length
= hmaclen
;
1211 * Compute MAC of the plaintext decrypted above.
1213 rv
= crypto_mac(&mac_mech
, &dd
, key
, NULL
, &mac
, NULL
);
1215 if (rv
!= CRYPTO_SUCCESS
) {
1216 cmn_err(CE_WARN
, "crypto_mac failed: %0x", rv
);
1222 #define XOR_BLOCK(src, dst) \
1223 (dst)[0] ^= (src)[0]; \
1224 (dst)[1] ^= (src)[1]; \
1225 (dst)[2] ^= (src)[2]; \
1226 (dst)[3] ^= (src)[3]; \
1227 (dst)[4] ^= (src)[4]; \
1228 (dst)[5] ^= (src)[5]; \
1229 (dst)[6] ^= (src)[6]; \
1230 (dst)[7] ^= (src)[7]; \
1231 (dst)[8] ^= (src)[8]; \
1232 (dst)[9] ^= (src)[9]; \
1233 (dst)[10] ^= (src)[10]; \
1234 (dst)[11] ^= (src)[11]; \
1235 (dst)[12] ^= (src)[12]; \
1236 (dst)[13] ^= (src)[13]; \
1237 (dst)[14] ^= (src)[14]; \
1238 (dst)[15] ^= (src)[15]
1240 #define xorblock(x, y) XOR_BLOCK(y, x)
1243 aes_cbc_cts_encrypt(struct tmodinfo
*tmi
, uchar_t
*plain
, size_t length
)
1245 int result
= CRYPTO_SUCCESS
;
1246 unsigned char tmp
[DEFAULT_AES_BLOCKLEN
];
1247 unsigned char tmp2
[DEFAULT_AES_BLOCKLEN
];
1248 unsigned char tmp3
[DEFAULT_AES_BLOCKLEN
];
1249 int nblocks
= 0, blockno
;
1250 crypto_data_t ct
, pt
;
1251 crypto_mechanism_t mech
;
1253 mech
.cm_type
= tmi
->enc_data
.mech_type
;
1254 if (tmi
->enc_data
.ivlen
> 0 && tmi
->enc_data
.ivec
!= NULL
) {
1255 bcopy(tmi
->enc_data
.ivec
, tmp
, DEFAULT_AES_BLOCKLEN
);
1257 bzero(tmp
, sizeof (tmp
));
1259 mech
.cm_param
= NULL
;
1260 mech
.cm_param_len
= 0;
1262 nblocks
= (length
+ DEFAULT_AES_BLOCKLEN
- 1) / DEFAULT_AES_BLOCKLEN
;
1264 bzero(&ct
, sizeof (crypto_data_t
));
1265 bzero(&pt
, sizeof (crypto_data_t
));
1268 pt
.cd_format
= CRYPTO_DATA_RAW
;
1269 pt
.cd_length
= length
;
1270 pt
.cd_raw
.iov_base
= (char *)plain
;
1271 pt
.cd_raw
.iov_len
= length
;
1273 result
= crypto_encrypt(&mech
, &pt
,
1274 &tmi
->enc_data
.d_encr_key
, NULL
, NULL
, NULL
);
1276 if (result
!= CRYPTO_SUCCESS
) {
1277 cmn_err(CE_WARN
, "aes_cbc_cts_encrypt: "
1278 "crypto_encrypt failed: %0x", result
);
1283 ct
.cd_format
= CRYPTO_DATA_RAW
;
1285 ct
.cd_length
= DEFAULT_AES_BLOCKLEN
;
1287 pt
.cd_format
= CRYPTO_DATA_RAW
;
1289 pt
.cd_length
= DEFAULT_AES_BLOCKLEN
;
1291 result
= crypto_encrypt_init(&mech
,
1292 &tmi
->enc_data
.d_encr_key
,
1293 tmi
->enc_data
.enc_tmpl
,
1294 &tmi
->enc_data
.ctx
, NULL
);
1296 if (result
!= CRYPTO_SUCCESS
) {
1297 cmn_err(CE_WARN
, "aes_cbc_cts_encrypt: "
1298 "crypto_encrypt_init failed: %0x", result
);
1302 for (blockno
= 0; blockno
< nblocks
- 2; blockno
++) {
1303 xorblock(tmp
, plain
+ blockno
* DEFAULT_AES_BLOCKLEN
);
1305 pt
.cd_raw
.iov_base
= (char *)tmp
;
1306 pt
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1308 ct
.cd_raw
.iov_base
= (char *)plain
+
1309 blockno
* DEFAULT_AES_BLOCKLEN
;
1310 ct
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1312 result
= crypto_encrypt_update(tmi
->enc_data
.ctx
,
1315 if (result
!= CRYPTO_SUCCESS
) {
1316 cmn_err(CE_WARN
, "aes_cbc_cts_encrypt: "
1317 "crypto_encrypt_update failed: %0x",
1321 /* copy result over original bytes */
1322 /* make another copy for the next XOR step */
1323 bcopy(plain
+ blockno
* DEFAULT_AES_BLOCKLEN
,
1324 tmp
, DEFAULT_AES_BLOCKLEN
);
1326 /* XOR cipher text from n-3 with plain text from n-2 */
1327 xorblock(tmp
, plain
+ (nblocks
- 2) * DEFAULT_AES_BLOCKLEN
);
1329 pt
.cd_raw
.iov_base
= (char *)tmp
;
1330 pt
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1332 ct
.cd_raw
.iov_base
= (char *)tmp2
;
1333 ct
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1335 /* encrypt XOR-ed block N-2 */
1336 result
= crypto_encrypt_update(tmi
->enc_data
.ctx
,
1338 if (result
!= CRYPTO_SUCCESS
) {
1339 cmn_err(CE_WARN
, "aes_cbc_cts_encrypt: "
1340 "crypto_encrypt_update(2) failed: %0x",
1344 nleft
= length
- (nblocks
- 1) * DEFAULT_AES_BLOCKLEN
;
1346 bzero(tmp3
, sizeof (tmp3
));
1347 /* Save final plaintext bytes from n-1 */
1348 bcopy(plain
+ (nblocks
- 1) * DEFAULT_AES_BLOCKLEN
, tmp3
,
1351 /* Overwrite n-1 with cipher text from n-2 */
1352 bcopy(tmp2
, plain
+ (nblocks
- 1) * DEFAULT_AES_BLOCKLEN
,
1355 bcopy(tmp2
, tmp
, DEFAULT_AES_BLOCKLEN
);
1356 /* XOR cipher text from n-1 with plain text from n-1 */
1357 xorblock(tmp
, tmp3
);
1359 pt
.cd_raw
.iov_base
= (char *)tmp
;
1360 pt
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1362 ct
.cd_raw
.iov_base
= (char *)tmp2
;
1363 ct
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1365 /* encrypt block N-2 */
1366 result
= crypto_encrypt_update(tmi
->enc_data
.ctx
,
1369 if (result
!= CRYPTO_SUCCESS
) {
1370 cmn_err(CE_WARN
, "aes_cbc_cts_encrypt: "
1371 "crypto_encrypt_update(3) failed: %0x",
1376 bcopy(tmp2
, plain
+ (nblocks
- 2) * DEFAULT_AES_BLOCKLEN
,
1377 DEFAULT_AES_BLOCKLEN
);
1380 ct
.cd_raw
.iov_base
= (char *)tmp2
;
1381 ct
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1384 * Ignore the output on the final step.
1386 result
= crypto_encrypt_final(tmi
->enc_data
.ctx
, &ct
, NULL
);
1387 if (result
!= CRYPTO_SUCCESS
) {
1388 cmn_err(CE_WARN
, "aes_cbc_cts_encrypt: "
1389 "crypto_encrypt_final(3) failed: %0x",
1392 tmi
->enc_data
.ctx
= NULL
;
1395 bzero(tmp
, sizeof (tmp
));
1396 bzero(tmp2
, sizeof (tmp
));
1397 bzero(tmp3
, sizeof (tmp
));
1398 bzero(tmi
->enc_data
.block
, tmi
->enc_data
.blocklen
);
1403 aes_cbc_cts_decrypt(struct tmodinfo
*tmi
, uchar_t
*buff
, size_t length
)
1405 int result
= CRYPTO_SUCCESS
;
1406 unsigned char tmp
[DEFAULT_AES_BLOCKLEN
];
1407 unsigned char tmp2
[DEFAULT_AES_BLOCKLEN
];
1408 unsigned char tmp3
[DEFAULT_AES_BLOCKLEN
];
1409 int nblocks
= 0, blockno
;
1410 crypto_data_t ct
, pt
;
1411 crypto_mechanism_t mech
;
1413 mech
.cm_type
= tmi
->enc_data
.mech_type
;
1415 if (tmi
->dec_data
.ivec_usage
!= IVEC_NEVER
&&
1416 tmi
->dec_data
.ivlen
> 0 && tmi
->dec_data
.ivec
!= NULL
) {
1417 bcopy(tmi
->dec_data
.ivec
, tmp
, DEFAULT_AES_BLOCKLEN
);
1419 bzero(tmp
, sizeof (tmp
));
1421 mech
.cm_param_len
= 0;
1422 mech
.cm_param
= NULL
;
1424 nblocks
= (length
+ DEFAULT_AES_BLOCKLEN
- 1) / DEFAULT_AES_BLOCKLEN
;
1426 bzero(&pt
, sizeof (pt
));
1427 bzero(&ct
, sizeof (ct
));
1430 ct
.cd_format
= CRYPTO_DATA_RAW
;
1431 ct
.cd_length
= length
;
1432 ct
.cd_raw
.iov_base
= (char *)buff
;
1433 ct
.cd_raw
.iov_len
= length
;
1435 result
= crypto_decrypt(&mech
, &ct
,
1436 &tmi
->dec_data
.d_encr_key
, NULL
, NULL
, NULL
);
1438 if (result
!= CRYPTO_SUCCESS
) {
1439 cmn_err(CE_WARN
, "aes_cbc_cts_decrypt: "
1440 "crypto_decrypt failed: %0x", result
);
1444 ct
.cd_format
= CRYPTO_DATA_RAW
;
1446 ct
.cd_length
= DEFAULT_AES_BLOCKLEN
;
1448 pt
.cd_format
= CRYPTO_DATA_RAW
;
1450 pt
.cd_length
= DEFAULT_AES_BLOCKLEN
;
1452 result
= crypto_decrypt_init(&mech
,
1453 &tmi
->dec_data
.d_encr_key
,
1454 tmi
->dec_data
.enc_tmpl
,
1455 &tmi
->dec_data
.ctx
, NULL
);
1457 if (result
!= CRYPTO_SUCCESS
) {
1458 cmn_err(CE_WARN
, "aes_cbc_cts_decrypt: "
1459 "crypto_decrypt_init failed: %0x", result
);
1462 for (blockno
= 0; blockno
< nblocks
- 2; blockno
++) {
1463 ct
.cd_raw
.iov_base
= (char *)buff
+
1464 (blockno
* DEFAULT_AES_BLOCKLEN
);
1465 ct
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1467 pt
.cd_raw
.iov_base
= (char *)tmp2
;
1468 pt
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1471 * Save the input to the decrypt so it can
1472 * be used later for an XOR operation
1474 bcopy(buff
+ (blockno
* DEFAULT_AES_BLOCKLEN
),
1475 tmi
->dec_data
.block
, DEFAULT_AES_BLOCKLEN
);
1477 result
= crypto_decrypt_update(tmi
->dec_data
.ctx
,
1479 if (result
!= CRYPTO_SUCCESS
) {
1480 cmn_err(CE_WARN
, "aes_cbc_cts_decrypt: "
1481 "crypto_decrypt_update(1) error - "
1482 "result = 0x%08x", result
);
1485 xorblock(tmp2
, tmp
);
1486 bcopy(tmp2
, buff
+ blockno
* DEFAULT_AES_BLOCKLEN
,
1487 DEFAULT_AES_BLOCKLEN
);
1489 * The original cipher text is used as the xor
1490 * for the next block, save it here.
1492 bcopy(tmi
->dec_data
.block
, tmp
, DEFAULT_AES_BLOCKLEN
);
1494 ct
.cd_raw
.iov_base
= (char *)buff
+
1495 ((nblocks
- 2) * DEFAULT_AES_BLOCKLEN
);
1496 ct
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1497 pt
.cd_raw
.iov_base
= (char *)tmp2
;
1498 pt
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1500 result
= crypto_decrypt_update(tmi
->dec_data
.ctx
,
1502 if (result
!= CRYPTO_SUCCESS
) {
1504 "aes_cbc_cts_decrypt: "
1505 "crypto_decrypt_update(2) error -"
1506 " result = 0x%08x", result
);
1509 bzero(tmp3
, sizeof (tmp3
));
1510 bcopy(buff
+ (nblocks
- 1) * DEFAULT_AES_BLOCKLEN
, tmp3
,
1511 length
- ((nblocks
- 1) * DEFAULT_AES_BLOCKLEN
));
1513 xorblock(tmp2
, tmp3
);
1514 bcopy(tmp2
, buff
+ (nblocks
- 1) * DEFAULT_AES_BLOCKLEN
,
1515 length
- ((nblocks
- 1) * DEFAULT_AES_BLOCKLEN
));
1517 /* 2nd to last block ... */
1519 length
- ((nblocks
- 1) * DEFAULT_AES_BLOCKLEN
));
1521 ct
.cd_raw
.iov_base
= (char *)tmp2
;
1522 ct
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1523 pt
.cd_raw
.iov_base
= (char *)tmp3
;
1524 pt
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1526 result
= crypto_decrypt_update(tmi
->dec_data
.ctx
,
1528 if (result
!= CRYPTO_SUCCESS
) {
1530 "aes_cbc_cts_decrypt: "
1531 "crypto_decrypt_update(3) error - "
1532 "result = 0x%08x", result
);
1535 xorblock(tmp3
, tmp
);
1538 /* Finally, update the 2nd to last block and we are done. */
1539 bcopy(tmp3
, buff
+ (nblocks
- 2) * DEFAULT_AES_BLOCKLEN
,
1540 DEFAULT_AES_BLOCKLEN
);
1542 /* Do Final step, but ignore output */
1543 pt
.cd_raw
.iov_base
= (char *)tmp2
;
1544 pt
.cd_raw
.iov_len
= DEFAULT_AES_BLOCKLEN
;
1545 result
= crypto_decrypt_final(tmi
->dec_data
.ctx
, &pt
, NULL
);
1546 if (result
!= CRYPTO_SUCCESS
) {
1547 cmn_err(CE_WARN
, "aes_cbc_cts_decrypt: "
1548 "crypto_decrypt_final error - "
1549 "result = 0x%0x", result
);
1551 tmi
->dec_data
.ctx
= NULL
;
1555 bzero(tmp
, sizeof (tmp
));
1556 bzero(tmp2
, sizeof (tmp
));
1557 bzero(tmp3
, sizeof (tmp
));
1558 bzero(tmi
->dec_data
.block
, tmi
->dec_data
.blocklen
);
1565 * format of ciphertext when using AES
1566 * +-------------+------------+------------+
1567 * | confounder | msg-data | hmac |
1568 * +-------------+------------+------------+
1571 aes_decrypt(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
,
1577 uchar_t hmacbuff
[64];
1578 uchar_t tmpiv
[DEFAULT_AES_BLOCKLEN
];
1580 inlen
= (size_t)MBLKL(mp
);
1582 enclen
= inlen
- AES_TRUNCATED_HMAC_LEN
;
1583 if (tmi
->dec_data
.ivec_usage
!= IVEC_NEVER
&&
1584 tmi
->dec_data
.ivec
!= NULL
&& tmi
->dec_data
.ivlen
> 0) {
1585 int nblocks
= (enclen
+ DEFAULT_AES_BLOCKLEN
- 1) /
1586 DEFAULT_AES_BLOCKLEN
;
1587 bcopy(mp
->b_rptr
+ DEFAULT_AES_BLOCKLEN
* (nblocks
- 2),
1588 tmpiv
, DEFAULT_AES_BLOCKLEN
);
1592 result
= aes_cbc_cts_decrypt(tmi
, mp
->b_rptr
, enclen
);
1594 if (result
!= CRYPTO_SUCCESS
) {
1596 "aes_decrypt: aes_cbc_cts_decrypt "
1597 "failed - error %0x", result
);
1601 /* Verify the HMAC */
1602 result
= do_hmac(sha1_hmac_mech
,
1603 &tmi
->dec_data
.d_hmac_key
,
1604 (char *)mp
->b_rptr
, enclen
,
1605 (char *)hmacbuff
, hash
->hash_len
);
1607 if (result
!= CRYPTO_SUCCESS
) {
1609 "aes_decrypt: do_hmac failed - error %0x", result
);
1613 if (bcmp(hmacbuff
, mp
->b_rptr
+ enclen
,
1614 AES_TRUNCATED_HMAC_LEN
) != 0) {
1616 cmn_err(CE_WARN
, "aes_decrypt: checksum verification failed");
1620 /* truncate the mblk at the end of the decrypted text */
1621 mp
->b_wptr
= mp
->b_rptr
+ enclen
;
1623 /* Adjust the beginning of the buffer to skip the confounder */
1624 mp
->b_rptr
+= DEFAULT_AES_BLOCKLEN
;
1626 if (tmi
->dec_data
.ivec_usage
!= IVEC_NEVER
&&
1627 tmi
->dec_data
.ivec
!= NULL
&& tmi
->dec_data
.ivlen
> 0)
1628 bcopy(tmpiv
, tmi
->dec_data
.ivec
, DEFAULT_AES_BLOCKLEN
);
1631 if (result
!= CRYPTO_SUCCESS
) {
1632 mp
->b_datap
->db_type
= M_ERROR
;
1633 mp
->b_rptr
= mp
->b_datap
->db_base
;
1635 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
1636 freemsg(mp
->b_cont
);
1647 * format of ciphertext when using AES
1648 * +-------------+------------+------------+
1649 * | confounder | msg-data | hmac |
1650 * +-------------+------------+------------+
1653 aes_encrypt(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
,
1659 uchar_t hmacbuff
[64];
1661 inlen
= (size_t)MBLKL(mp
);
1663 cipherlen
= encrypt_size(&tmi
->enc_data
, inlen
);
1665 ASSERT(MBLKSIZE(mp
) >= cipherlen
);
1668 * Shift the rptr back enough to insert the confounder.
1670 mp
->b_rptr
-= DEFAULT_AES_BLOCKLEN
;
1672 /* Get random data for confounder */
1673 (void) random_get_pseudo_bytes((uint8_t *)mp
->b_rptr
,
1674 DEFAULT_AES_BLOCKLEN
);
1677 * Because we encrypt in-place, we need to calculate
1678 * the HMAC of the plaintext now, then stick it on
1679 * the end of the ciphertext down below.
1681 result
= do_hmac(sha1_hmac_mech
,
1682 &tmi
->enc_data
.d_hmac_key
,
1683 (char *)mp
->b_rptr
, DEFAULT_AES_BLOCKLEN
+ inlen
,
1684 (char *)hmacbuff
, hash
->hash_len
);
1686 if (result
!= CRYPTO_SUCCESS
) {
1687 cmn_err(CE_WARN
, "aes_encrypt: do_hmac failed - error %0x",
1691 /* Encrypt using AES-CBC-CTS */
1692 result
= aes_cbc_cts_encrypt(tmi
, mp
->b_rptr
,
1693 inlen
+ DEFAULT_AES_BLOCKLEN
);
1695 if (result
!= CRYPTO_SUCCESS
) {
1696 cmn_err(CE_WARN
, "aes_encrypt: aes_cbc_cts_encrypt "
1697 "failed - error %0x", result
);
1701 /* copy the truncated HMAC to the end of the mblk */
1702 bcopy(hmacbuff
, mp
->b_rptr
+ DEFAULT_AES_BLOCKLEN
+ inlen
,
1703 AES_TRUNCATED_HMAC_LEN
);
1705 mp
->b_wptr
= mp
->b_rptr
+ cipherlen
;
1708 * The final block of cipher text (not the HMAC) is used
1711 if (tmi
->enc_data
.ivec_usage
!= IVEC_NEVER
&&
1712 tmi
->enc_data
.ivec
!= NULL
) {
1713 int nblocks
= (inlen
+ 2 * DEFAULT_AES_BLOCKLEN
- 1) /
1714 DEFAULT_AES_BLOCKLEN
;
1716 bcopy(mp
->b_rptr
+ (nblocks
- 2) * DEFAULT_AES_BLOCKLEN
,
1717 tmi
->enc_data
.ivec
, DEFAULT_AES_BLOCKLEN
);
1721 if (result
!= CRYPTO_SUCCESS
) {
1722 mp
->b_datap
->db_type
= M_ERROR
;
1723 mp
->b_rptr
= mp
->b_datap
->db_base
;
1725 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
1726 freemsg(mp
->b_cont
);
1735 * ARCFOUR-HMAC-MD5 decrypt
1737 * format of ciphertext when using ARCFOUR-HMAC-MD5
1738 * +-----------+------------+------------+
1739 * | hmac | confounder | msg-data |
1740 * +-----------+------------+------------+
1744 arcfour_hmac_md5_decrypt(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
,
1751 crypto_key_t k1
, k2
;
1752 crypto_data_t indata
;
1754 uchar_t ms_exp
[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1755 0xab, 0xab, 0xab, 0xab };
1756 uchar_t k1data
[CRYPT_ARCFOUR_KEYBYTES
];
1757 uchar_t k2data
[CRYPT_ARCFOUR_KEYBYTES
];
1758 uchar_t cksum
[MD5_HASHSIZE
];
1759 uchar_t saltdata
[CRYPT_ARCFOUR_KEYBYTES
];
1760 crypto_mechanism_t mech
;
1763 bzero(&indata
, sizeof (indata
));
1765 /* The usage constant is 1026 for all "old" rcmd mode operations */
1766 if (tmi
->dec_data
.option_mask
& CRYPTOPT_RCMD_MODE_V1
)
1767 usage
= RCMDV1_USAGE
;
1769 usage
= ARCFOUR_DECRYPT_USAGE
;
1772 * The size at this point should be the size of
1773 * all the plaintext plus the optional plaintext length
1774 * needed for RCMD V2 mode. There should also be room
1775 * at the head of the mblk for the confounder and hash info.
1777 inlen
= (size_t)MBLKL(mp
);
1780 * The cipherlen does not include the HMAC at the
1781 * head of the buffer.
1783 cipherlen
= inlen
- hash
->hash_len
;
1785 ASSERT(MBLKSIZE(mp
) >= cipherlen
);
1786 if (tmi
->dec_data
.method
== CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP
) {
1787 bcopy(ARCFOUR_EXP_SALT
, saltdata
, strlen(ARCFOUR_EXP_SALT
));
1789 saltdata
[10] = usage
& 0xff;
1790 saltdata
[11] = (usage
>> 8) & 0xff;
1791 saltdata
[12] = (usage
>> 16) & 0xff;
1792 saltdata
[13] = (usage
>> 24) & 0xff;
1795 saltdata
[0] = usage
& 0xff;
1796 saltdata
[1] = (usage
>> 8) & 0xff;
1797 saltdata
[2] = (usage
>> 16) & 0xff;
1798 saltdata
[3] = (usage
>> 24) & 0xff;
1802 * Use the salt value to create a key to be used
1803 * for subsequent HMAC operations.
1805 result
= do_hmac(md5_hmac_mech
,
1807 (char *)saltdata
, saltlen
,
1808 (char *)k1data
, sizeof (k1data
));
1809 if (result
!= CRYPTO_SUCCESS
) {
1811 "arcfour_hmac_md5_decrypt: do_hmac(k1)"
1812 "failed - error %0x", result
);
1815 bcopy(k1data
, k2data
, sizeof (k1data
));
1818 * For the neutered MS RC4 encryption type,
1819 * set the trailing 9 bytes to 0xab per the
1822 if (tmi
->dec_data
.method
== CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP
) {
1823 bcopy((void *)&k1data
[7], ms_exp
, sizeof (ms_exp
));
1826 mech
.cm_type
= tmi
->dec_data
.mech_type
;
1827 mech
.cm_param
= NULL
;
1828 mech
.cm_param_len
= 0;
1831 * If we have not yet initialized the decryption key,
1832 * context, and template, do it now.
1834 if (tmi
->dec_data
.ctx
== NULL
||
1835 (tmi
->dec_data
.option_mask
& CRYPTOPT_RCMD_MODE_V1
)) {
1836 k1
.ck_format
= CRYPTO_KEY_RAW
;
1837 k1
.ck_length
= CRYPT_ARCFOUR_KEYBYTES
* 8;
1838 k1
.ck_data
= k1data
;
1840 tmi
->dec_data
.d_encr_key
.ck_format
= CRYPTO_KEY_RAW
;
1841 tmi
->dec_data
.d_encr_key
.ck_length
= k1
.ck_length
;
1842 if (tmi
->dec_data
.d_encr_key
.ck_data
== NULL
)
1843 tmi
->dec_data
.d_encr_key
.ck_data
= kmem_zalloc(
1844 CRYPT_ARCFOUR_KEYBYTES
, KM_SLEEP
);
1847 * HMAC operation creates the encryption
1848 * key to be used for the decrypt operations.
1850 result
= do_hmac(md5_hmac_mech
, &k1
,
1851 (char *)mp
->b_rptr
, hash
->hash_len
,
1852 (char *)tmi
->dec_data
.d_encr_key
.ck_data
,
1853 CRYPT_ARCFOUR_KEYBYTES
);
1856 if (result
!= CRYPTO_SUCCESS
) {
1858 "arcfour_hmac_md5_decrypt: do_hmac(k3)"
1859 "failed - error %0x", result
);
1864 tmi
->dec_data
.enc_tmpl
= NULL
;
1866 if (tmi
->dec_data
.ctx
== NULL
&&
1867 (tmi
->dec_data
.option_mask
& CRYPTOPT_RCMD_MODE_V2
)) {
1869 * Only create a template if we are doing
1870 * chaining from block to block.
1872 result
= crypto_create_ctx_template(&mech
,
1873 &tmi
->dec_data
.d_encr_key
,
1874 &tmi
->dec_data
.enc_tmpl
,
1876 if (result
== CRYPTO_NOT_SUPPORTED
) {
1877 tmi
->dec_data
.enc_tmpl
= NULL
;
1878 } else if (result
!= CRYPTO_SUCCESS
) {
1880 "arcfour_hmac_md5_decrypt: "
1881 "failed to create dec template "
1882 "for RC4 encrypt: %0x", result
);
1886 result
= crypto_decrypt_init(&mech
,
1887 &tmi
->dec_data
.d_encr_key
,
1888 tmi
->dec_data
.enc_tmpl
,
1889 &tmi
->dec_data
.ctx
, NULL
);
1891 if (result
!= CRYPTO_SUCCESS
) {
1892 cmn_err(CE_WARN
, "crypto_decrypt_init failed:"
1898 /* adjust the rptr so we don't decrypt the original hmac field */
1900 v1
.iov_base
= (char *)mp
->b_rptr
+ hash
->hash_len
;
1901 v1
.iov_len
= cipherlen
;
1903 indata
.cd_format
= CRYPTO_DATA_RAW
;
1904 indata
.cd_offset
= 0;
1905 indata
.cd_length
= cipherlen
;
1908 if (tmi
->dec_data
.option_mask
& CRYPTOPT_RCMD_MODE_V2
)
1909 result
= crypto_decrypt_update(tmi
->dec_data
.ctx
,
1910 &indata
, NULL
, NULL
);
1912 result
= crypto_decrypt(&mech
, &indata
,
1913 &tmi
->dec_data
.d_encr_key
, NULL
, NULL
, NULL
);
1915 if (result
!= CRYPTO_SUCCESS
) {
1916 cmn_err(CE_WARN
, "crypto_decrypt_update failed:"
1921 k2
.ck_format
= CRYPTO_KEY_RAW
;
1922 k2
.ck_length
= sizeof (k2data
) * 8;
1923 k2
.ck_data
= k2data
;
1925 result
= do_hmac(md5_hmac_mech
,
1927 (char *)mp
->b_rptr
+ hash
->hash_len
, cipherlen
,
1928 (char *)cksum
, hash
->hash_len
);
1930 if (result
!= CRYPTO_SUCCESS
) {
1932 "arcfour_hmac_md5_decrypt: do_hmac(k2)"
1933 "failed - error %0x", result
);
1937 if (bcmp(cksum
, mp
->b_rptr
, hash
->hash_len
) != 0) {
1938 cmn_err(CE_WARN
, "arcfour_decrypt HMAC comparison failed");
1944 * adjust the start of the mblk to skip over the
1945 * hash and confounder.
1947 mp
->b_rptr
+= hash
->hash_len
+ hash
->confound_len
;
1950 bzero(k1data
, sizeof (k1data
));
1951 bzero(k2data
, sizeof (k2data
));
1952 bzero(cksum
, sizeof (cksum
));
1953 bzero(saltdata
, sizeof (saltdata
));
1954 if (result
!= CRYPTO_SUCCESS
) {
1955 mp
->b_datap
->db_type
= M_ERROR
;
1956 mp
->b_rptr
= mp
->b_datap
->db_base
;
1958 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
1959 freemsg(mp
->b_cont
);
1968 * ARCFOUR-HMAC-MD5 encrypt
1970 * format of ciphertext when using ARCFOUR-HMAC-MD5
1971 * +-----------+------------+------------+
1972 * | hmac | confounder | msg-data |
1973 * +-----------+------------+------------+
1977 arcfour_hmac_md5_encrypt(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
,
1984 crypto_key_t k1
, k2
;
1985 crypto_data_t indata
;
1987 uchar_t ms_exp
[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1988 0xab, 0xab, 0xab, 0xab };
1989 uchar_t k1data
[CRYPT_ARCFOUR_KEYBYTES
];
1990 uchar_t k2data
[CRYPT_ARCFOUR_KEYBYTES
];
1991 uchar_t saltdata
[CRYPT_ARCFOUR_KEYBYTES
];
1992 crypto_mechanism_t mech
;
1995 bzero(&indata
, sizeof (indata
));
1997 /* The usage constant is 1026 for all "old" rcmd mode operations */
1998 if (tmi
->enc_data
.option_mask
& CRYPTOPT_RCMD_MODE_V1
)
1999 usage
= RCMDV1_USAGE
;
2001 usage
= ARCFOUR_ENCRYPT_USAGE
;
2003 mech
.cm_type
= tmi
->enc_data
.mech_type
;
2004 mech
.cm_param
= NULL
;
2005 mech
.cm_param_len
= 0;
2008 * The size at this point should be the size of
2009 * all the plaintext plus the optional plaintext length
2010 * needed for RCMD V2 mode. There should also be room
2011 * at the head of the mblk for the confounder and hash info.
2013 inlen
= (size_t)MBLKL(mp
);
2015 cipherlen
= encrypt_size(&tmi
->enc_data
, inlen
);
2017 ASSERT(MBLKSIZE(mp
) >= cipherlen
);
2020 * Shift the rptr back enough to insert
2021 * the confounder and hash.
2023 mp
->b_rptr
-= (hash
->confound_len
+ hash
->hash_len
);
2025 /* zero out the hash area */
2026 bzero(mp
->b_rptr
, (size_t)hash
->hash_len
);
2028 if (cipherlen
> inlen
) {
2029 bzero(mp
->b_wptr
, MBLKTAIL(mp
));
2032 if (tmi
->enc_data
.method
== CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP
) {
2033 bcopy(ARCFOUR_EXP_SALT
, saltdata
, strlen(ARCFOUR_EXP_SALT
));
2035 saltdata
[10] = usage
& 0xff;
2036 saltdata
[11] = (usage
>> 8) & 0xff;
2037 saltdata
[12] = (usage
>> 16) & 0xff;
2038 saltdata
[13] = (usage
>> 24) & 0xff;
2041 saltdata
[0] = usage
& 0xff;
2042 saltdata
[1] = (usage
>> 8) & 0xff;
2043 saltdata
[2] = (usage
>> 16) & 0xff;
2044 saltdata
[3] = (usage
>> 24) & 0xff;
2048 * Use the salt value to create a key to be used
2049 * for subsequent HMAC operations.
2051 result
= do_hmac(md5_hmac_mech
,
2053 (char *)saltdata
, saltlen
,
2054 (char *)k1data
, sizeof (k1data
));
2055 if (result
!= CRYPTO_SUCCESS
) {
2057 "arcfour_hmac_md5_encrypt: do_hmac(k1)"
2058 "failed - error %0x", result
);
2062 bcopy(k1data
, k2data
, sizeof (k2data
));
2065 * For the neutered MS RC4 encryption type,
2066 * set the trailing 9 bytes to 0xab per the
2069 if (tmi
->enc_data
.method
== CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP
) {
2070 bcopy((void *)&k1data
[7], ms_exp
, sizeof (ms_exp
));
2074 * Get the confounder bytes.
2076 (void) random_get_pseudo_bytes(
2077 (uint8_t *)(mp
->b_rptr
+ hash
->hash_len
),
2078 (size_t)hash
->confound_len
);
2080 k2
.ck_data
= k2data
;
2081 k2
.ck_format
= CRYPTO_KEY_RAW
;
2082 k2
.ck_length
= sizeof (k2data
) * 8;
2085 * This writes the HMAC to the hash area in the
2086 * mblk. The key used is the one just created by
2087 * the previous HMAC operation.
2088 * The data being processed is the confounder bytes
2089 * PLUS the input plaintext.
2091 result
= do_hmac(md5_hmac_mech
, &k2
,
2092 (char *)mp
->b_rptr
+ hash
->hash_len
,
2093 hash
->confound_len
+ inlen
,
2094 (char *)mp
->b_rptr
, hash
->hash_len
);
2095 if (result
!= CRYPTO_SUCCESS
) {
2097 "arcfour_hmac_md5_encrypt: do_hmac(k2)"
2098 "failed - error %0x", result
);
2102 * Because of the odd way that MIT uses RC4 keys
2103 * on the rlogin stream, we only need to create
2105 * However, if using "old" rcmd mode, we need to do
2108 if (tmi
->enc_data
.ctx
== NULL
||
2109 (tmi
->enc_data
.option_mask
& CRYPTOPT_RCMD_MODE_V1
)) {
2110 crypto_key_t
*key
= &tmi
->enc_data
.d_encr_key
;
2112 k1
.ck_data
= k1data
;
2113 k1
.ck_format
= CRYPTO_KEY_RAW
;
2114 k1
.ck_length
= sizeof (k1data
) * 8;
2116 key
->ck_format
= CRYPTO_KEY_RAW
;
2117 key
->ck_length
= k1
.ck_length
;
2118 if (key
->ck_data
== NULL
)
2119 key
->ck_data
= kmem_zalloc(
2120 CRYPT_ARCFOUR_KEYBYTES
, KM_SLEEP
);
2123 * The final HMAC operation creates the encryption
2124 * key to be used for the encrypt operation.
2126 result
= do_hmac(md5_hmac_mech
, &k1
,
2127 (char *)mp
->b_rptr
, hash
->hash_len
,
2128 (char *)key
->ck_data
, CRYPT_ARCFOUR_KEYBYTES
);
2130 if (result
!= CRYPTO_SUCCESS
) {
2132 "arcfour_hmac_md5_encrypt: do_hmac(k3)"
2133 "failed - error %0x", result
);
2139 * If the context has not been initialized, do it now.
2141 if (tmi
->enc_data
.ctx
== NULL
&&
2142 (tmi
->enc_data
.option_mask
& CRYPTOPT_RCMD_MODE_V2
)) {
2144 * Only create a template if we are doing
2145 * chaining from block to block.
2147 result
= crypto_create_ctx_template(&mech
,
2148 &tmi
->enc_data
.d_encr_key
,
2149 &tmi
->enc_data
.enc_tmpl
,
2151 if (result
== CRYPTO_NOT_SUPPORTED
) {
2152 tmi
->enc_data
.enc_tmpl
= NULL
;
2153 } else if (result
!= CRYPTO_SUCCESS
) {
2154 cmn_err(CE_WARN
, "failed to create enc template "
2155 "for RC4 encrypt: %0x", result
);
2159 result
= crypto_encrypt_init(&mech
,
2160 &tmi
->enc_data
.d_encr_key
,
2161 tmi
->enc_data
.enc_tmpl
,
2162 &tmi
->enc_data
.ctx
, NULL
);
2163 if (result
!= CRYPTO_SUCCESS
) {
2164 cmn_err(CE_WARN
, "crypto_encrypt_init failed:"
2169 v1
.iov_base
= (char *)mp
->b_rptr
+ hash
->hash_len
;
2170 v1
.iov_len
= hash
->confound_len
+ inlen
;
2172 indata
.cd_format
= CRYPTO_DATA_RAW
;
2173 indata
.cd_offset
= 0;
2174 indata
.cd_length
= hash
->confound_len
+ inlen
;
2177 if (tmi
->enc_data
.option_mask
& CRYPTOPT_RCMD_MODE_V2
)
2178 result
= crypto_encrypt_update(tmi
->enc_data
.ctx
,
2179 &indata
, NULL
, NULL
);
2181 result
= crypto_encrypt(&mech
, &indata
,
2182 &tmi
->enc_data
.d_encr_key
, NULL
,
2185 if (result
!= CRYPTO_SUCCESS
) {
2186 cmn_err(CE_WARN
, "crypto_encrypt_update failed: 0x%0x",
2191 bzero(k1data
, sizeof (k1data
));
2192 bzero(k2data
, sizeof (k2data
));
2193 bzero(saltdata
, sizeof (saltdata
));
2194 if (result
!= CRYPTO_SUCCESS
) {
2195 mp
->b_datap
->db_type
= M_ERROR
;
2196 mp
->b_rptr
= mp
->b_datap
->db_base
;
2198 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
2199 freemsg(mp
->b_cont
);
2208 * DES-CBC-[HASH] encrypt
2210 * Needed to support userland apps that must support Kerberos V5
2211 * encryption DES-CBC encryption modes.
2213 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2215 * format of ciphertext for DES-CBC functions, per RFC1510 is:
2216 * +-----------+----------+-------------+-----+
2217 * |confounder | cksum | msg-data | pad |
2218 * +-----------+----------+-------------+-----+
2220 * format of ciphertext when using DES3-SHA1-HMAC
2221 * +-----------+----------+-------------+-----+
2222 * |confounder | msg-data | hmac | pad |
2223 * +-----------+----------+-------------+-----+
2225 * The confounder is 8 bytes of random data.
2226 * The cksum depends on the hash being used.
2234 des_cbc_encrypt(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
, hash_info_t
*hash
)
2242 * The size at this point should be the size of
2243 * all the plaintext plus the optional plaintext length
2244 * needed for RCMD V2 mode. There should also be room
2245 * at the head of the mblk for the confounder and hash info.
2247 inlen
= (size_t)MBLKL(mp
);
2250 * The output size will be a multiple of 8 because this algorithm
2251 * only works on 8 byte chunks.
2253 cipherlen
= encrypt_size(&tmi
->enc_data
, inlen
);
2255 ASSERT(MBLKSIZE(mp
) >= cipherlen
);
2257 if (cipherlen
> inlen
) {
2258 bzero(mp
->b_wptr
, MBLKTAIL(mp
));
2262 * Shift the rptr back enough to insert
2263 * the confounder and hash.
2265 if (tmi
->enc_data
.method
== CRYPT_METHOD_DES3_CBC_SHA1
) {
2266 mp
->b_rptr
-= hash
->confound_len
;
2268 mp
->b_rptr
-= (hash
->confound_len
+ hash
->hash_len
);
2270 /* zero out the hash area */
2271 bzero(mp
->b_rptr
+ hash
->confound_len
, (size_t)hash
->hash_len
);
2274 /* get random confounder from our friend, the 'random' module */
2275 if (hash
->confound_len
> 0) {
2276 (void) random_get_pseudo_bytes((uint8_t *)mp
->b_rptr
,
2277 (size_t)hash
->confound_len
);
2281 * For 3DES we calculate an HMAC later.
2283 if (tmi
->enc_data
.method
!= CRYPT_METHOD_DES3_CBC_SHA1
) {
2284 /* calculate chksum of confounder + input */
2285 if (hash
->hash_len
> 0 && hash
->hashfunc
!= NULL
) {
2286 uchar_t cksum
[MAX_CKSUM_LEN
];
2288 result
= hash
->hashfunc(cksum
, mp
->b_rptr
,
2290 if (result
!= CRYPTO_SUCCESS
) {
2294 /* put hash in place right after the confounder */
2295 bcopy(cksum
, (mp
->b_rptr
+ hash
->confound_len
),
2296 (size_t)hash
->hash_len
);
2300 * In order to support the "old" Kerberos RCMD protocol,
2301 * we must use the IVEC 3 different ways:
2302 * IVEC_REUSE = keep using the same IV each time, this is
2303 * ugly and insecure, but necessary for
2304 * backwards compatibility with existing MIT code.
2305 * IVEC_ONETIME = Use the ivec as initialized when the crypto
2306 * was setup (see setup_crypto routine).
2307 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2309 if (tmi
->enc_data
.ivec_usage
== IVEC_NEVER
) {
2310 bzero(tmi
->enc_data
.block
, tmi
->enc_data
.blocklen
);
2311 } else if (tmi
->enc_data
.ivec_usage
== IVEC_REUSE
) {
2312 bcopy(tmi
->enc_data
.ivec
, tmi
->enc_data
.block
,
2313 tmi
->enc_data
.blocklen
);
2316 if (tmi
->enc_data
.method
== CRYPT_METHOD_DES3_CBC_SHA1
) {
2318 * The input length already included the hash size,
2319 * don't include this in the plaintext length
2322 plainlen
= cipherlen
- hash
->hash_len
;
2324 mp
->b_wptr
= mp
->b_rptr
+ plainlen
;
2326 result
= kef_encr_hmac(&tmi
->enc_data
,
2327 (void *)mp
, (size_t)plainlen
,
2328 (char *)(mp
->b_rptr
+ plainlen
),
2331 ASSERT(mp
->b_rptr
+ cipherlen
<= DB_LIM(mp
));
2332 mp
->b_wptr
= mp
->b_rptr
+ cipherlen
;
2333 result
= kef_crypt(&tmi
->enc_data
, (void *)mp
,
2334 CRYPTO_DATA_MBLK
, (size_t)cipherlen
,
2338 if (result
!= CRYPTO_SUCCESS
) {
2341 "des_cbc_encrypt: kef_crypt encrypt "
2342 "failed (len: %ld) - error %0x",
2345 mp
->b_datap
->db_type
= M_ERROR
;
2346 mp
->b_rptr
= mp
->b_datap
->db_base
;
2348 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
2349 freemsg(mp
->b_cont
);
2353 } else if (tmi
->enc_data
.ivec_usage
== IVEC_ONETIME
) {
2355 * Because we are using KEF, we must manually
2358 bcopy(mp
->b_wptr
- tmi
->enc_data
.ivlen
,
2359 tmi
->enc_data
.block
, tmi
->enc_data
.ivlen
);
2361 if (tmi
->enc_data
.method
== CRYPT_METHOD_DES3_CBC_SHA1
) {
2362 mp
->b_wptr
= mp
->b_rptr
+ cipherlen
;
2372 * Needed to support userland apps that must support Kerberos V5
2373 * encryption DES-CBC decryption modes.
2375 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2377 * format of ciphertext for DES-CBC functions, per RFC1510 is:
2378 * +-----------+----------+-------------+-----+
2379 * |confounder | cksum | msg-data | pad |
2380 * +-----------+----------+-------------+-----+
2382 * format of ciphertext when using DES3-SHA1-HMAC
2383 * +-----------+----------+-------------+-----+
2384 * |confounder | msg-data | hmac | pad |
2385 * +-----------+----------+-------------+-----+
2387 * The confounder is 8 bytes of random data.
2388 * The cksum depends on the hash being used.
2396 des_cbc_decrypt(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
, hash_info_t
*hash
)
2398 uint_t inlen
, datalen
;
2400 uchar_t
*optr
= NULL
;
2401 uchar_t cksum
[MAX_CKSUM_LEN
], newcksum
[MAX_CKSUM_LEN
];
2402 uchar_t nextiv
[DEFAULT_DES_BLOCKLEN
];
2404 /* Compute adjusted size */
2410 * In order to support the "old" Kerberos RCMD protocol,
2411 * we must use the IVEC 3 different ways:
2412 * IVEC_REUSE = keep using the same IV each time, this is
2413 * ugly and insecure, but necessary for
2414 * backwards compatibility with existing MIT code.
2415 * IVEC_ONETIME = Use the ivec as initialized when the crypto
2416 * was setup (see setup_crypto routine).
2417 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2419 if (tmi
->dec_data
.ivec_usage
== IVEC_NEVER
)
2420 bzero(tmi
->dec_data
.block
, tmi
->dec_data
.blocklen
);
2421 else if (tmi
->dec_data
.ivec_usage
== IVEC_REUSE
)
2422 bcopy(tmi
->dec_data
.ivec
, tmi
->dec_data
.block
,
2423 tmi
->dec_data
.blocklen
);
2425 if (tmi
->dec_data
.method
== CRYPT_METHOD_DES3_CBC_SHA1
) {
2427 * Do not decrypt the HMAC at the end
2429 int decrypt_len
= inlen
- hash
->hash_len
;
2432 * Move the wptr so the mblk appears to end
2433 * BEFORE the HMAC section.
2435 mp
->b_wptr
= mp
->b_rptr
+ decrypt_len
;
2438 * Because we are using KEF, we must manually update our
2441 if (tmi
->dec_data
.ivec_usage
== IVEC_ONETIME
) {
2442 bcopy(mp
->b_rptr
+ decrypt_len
- tmi
->dec_data
.ivlen
,
2443 nextiv
, tmi
->dec_data
.ivlen
);
2446 result
= kef_decr_hmac(&tmi
->dec_data
, mp
, decrypt_len
,
2447 (char *)newcksum
, hash
->hash_len
);
2450 * Because we are using KEF, we must manually update our
2453 if (tmi
->dec_data
.ivec_usage
== IVEC_ONETIME
) {
2454 bcopy(mp
->b_wptr
- tmi
->enc_data
.ivlen
, nextiv
,
2455 tmi
->dec_data
.ivlen
);
2457 result
= kef_crypt(&tmi
->dec_data
, (void *)mp
,
2458 CRYPTO_DATA_MBLK
, (size_t)inlen
, CRYPT_DECRYPT
);
2460 if (result
!= CRYPTO_SUCCESS
) {
2463 "des_cbc_decrypt: kef_crypt decrypt "
2464 "failed - error %0x", result
);
2466 mp
->b_datap
->db_type
= M_ERROR
;
2467 mp
->b_rptr
= mp
->b_datap
->db_base
;
2469 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
2470 freemsg(mp
->b_cont
);
2477 * Manually update the IV, KEF does not track this for us.
2479 if (tmi
->dec_data
.ivec_usage
== IVEC_ONETIME
) {
2480 bcopy(nextiv
, tmi
->dec_data
.block
, tmi
->dec_data
.ivlen
);
2483 /* Verify the checksum(if necessary) */
2484 if (hash
->hash_len
> 0) {
2485 if (tmi
->dec_data
.method
== CRYPT_METHOD_DES3_CBC_SHA1
) {
2486 bcopy(mp
->b_rptr
+ inlen
- hash
->hash_len
, cksum
,
2489 bcopy(optr
+ hash
->confound_len
, cksum
, hash
->hash_len
);
2491 /* zero the cksum in the buffer */
2492 ASSERT(optr
+ hash
->confound_len
+ hash
->hash_len
<=
2494 bzero(optr
+ hash
->confound_len
, hash
->hash_len
);
2496 /* calculate MD5 chksum of confounder + input */
2497 if (hash
->hashfunc
) {
2498 (void) hash
->hashfunc(newcksum
, optr
, inlen
);
2502 if (bcmp(cksum
, newcksum
, hash
->hash_len
)) {
2504 cmn_err(CE_WARN
, "des_cbc_decrypt: checksum "
2505 "verification failed");
2507 mp
->b_datap
->db_type
= M_ERROR
;
2508 mp
->b_rptr
= mp
->b_datap
->db_base
;
2510 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
2511 freemsg(mp
->b_cont
);
2518 datalen
= inlen
- hash
->confound_len
- hash
->hash_len
;
2520 /* Move just the decrypted input into place if necessary */
2521 if (hash
->confound_len
> 0 || hash
->hash_len
> 0) {
2522 if (tmi
->dec_data
.method
== CRYPT_METHOD_DES3_CBC_SHA1
)
2523 mp
->b_rptr
+= hash
->confound_len
;
2525 mp
->b_rptr
+= hash
->confound_len
+ hash
->hash_len
;
2528 ASSERT(mp
->b_rptr
+ datalen
<= DB_LIM(mp
));
2529 mp
->b_wptr
= mp
->b_rptr
+ datalen
;
2535 do_decrypt(queue_t
*q
, mblk_t
*mp
)
2537 struct tmodinfo
*tmi
= (struct tmodinfo
*)q
->q_ptr
;
2540 switch (tmi
->dec_data
.method
) {
2541 case CRYPT_METHOD_DES_CFB
:
2542 outmp
= des_cfb_decrypt(q
, tmi
, mp
);
2544 case CRYPT_METHOD_NONE
:
2547 case CRYPT_METHOD_DES_CBC_NULL
:
2548 outmp
= des_cbc_decrypt(q
, tmi
, mp
, &null_hash
);
2550 case CRYPT_METHOD_DES_CBC_MD5
:
2551 outmp
= des_cbc_decrypt(q
, tmi
, mp
, &md5_hash
);
2553 case CRYPT_METHOD_DES_CBC_CRC
:
2554 outmp
= des_cbc_decrypt(q
, tmi
, mp
, &crc32_hash
);
2556 case CRYPT_METHOD_DES3_CBC_SHA1
:
2557 outmp
= des_cbc_decrypt(q
, tmi
, mp
, &sha1_hash
);
2559 case CRYPT_METHOD_ARCFOUR_HMAC_MD5
:
2560 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP
:
2561 outmp
= arcfour_hmac_md5_decrypt(q
, tmi
, mp
, &md5_hash
);
2563 case CRYPT_METHOD_AES128
:
2564 case CRYPT_METHOD_AES256
:
2565 outmp
= aes_decrypt(q
, tmi
, mp
, &sha1_hash
);
2574 * Generic encryption routine for a single message block.
2575 * The input mblk may be replaced by some encrypt routines
2576 * because they add extra data in some cases that may exceed
2577 * the input mblk_t size limit.
2580 do_encrypt(queue_t
*q
, mblk_t
*mp
)
2582 struct tmodinfo
*tmi
= (struct tmodinfo
*)q
->q_ptr
;
2585 switch (tmi
->enc_data
.method
) {
2586 case CRYPT_METHOD_DES_CFB
:
2587 outmp
= des_cfb_encrypt(q
, tmi
, mp
);
2589 case CRYPT_METHOD_DES_CBC_NULL
:
2590 outmp
= des_cbc_encrypt(q
, tmi
, mp
, &null_hash
);
2592 case CRYPT_METHOD_DES_CBC_MD5
:
2593 outmp
= des_cbc_encrypt(q
, tmi
, mp
, &md5_hash
);
2595 case CRYPT_METHOD_DES_CBC_CRC
:
2596 outmp
= des_cbc_encrypt(q
, tmi
, mp
, &crc32_hash
);
2598 case CRYPT_METHOD_DES3_CBC_SHA1
:
2599 outmp
= des_cbc_encrypt(q
, tmi
, mp
, &sha1_hash
);
2601 case CRYPT_METHOD_ARCFOUR_HMAC_MD5
:
2602 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP
:
2603 outmp
= arcfour_hmac_md5_encrypt(q
, tmi
, mp
, &md5_hash
);
2605 case CRYPT_METHOD_AES128
:
2606 case CRYPT_METHOD_AES256
:
2607 outmp
= aes_encrypt(q
, tmi
, mp
, &sha1_hash
);
2609 case CRYPT_METHOD_NONE
:
2619 * This takes the data from the CRYPTIOCSETUP ioctl
2620 * and sets up a cipher_data_t structure for either
2621 * encryption or decryption. This is where the
2622 * key and initialization vector data get stored
2623 * prior to beginning any crypto functions.
2626 * Some applications(e.g. telnetd) have ability to switch
2627 * crypto on/off periodically. Thus, the application may call
2628 * the CRYPTIOCSETUP ioctl many times for the same stream.
2629 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
2630 * assume that the key, block, and saveblock fields that are already
2631 * set from a previous CRIOCSETUP call are still valid. This helps avoid
2632 * a rekeying error that could occur if we overwrite these fields
2633 * with each CRYPTIOCSETUP call.
2634 * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
2635 * without resetting the original crypto parameters.
2639 setup_crypto(struct cr_info_t
*ci
, struct cipher_data_t
*cd
, int encrypt
)
2642 uint32_t enc_usage
= 0, dec_usage
= 0;
2646 * Initial sanity checks
2648 if (!CR_METHOD_OK(ci
->crypto_method
)) {
2649 cmn_err(CE_WARN
, "Illegal crypto method (%d)",
2653 if (!CR_OPTIONS_OK(ci
->option_mask
)) {
2654 cmn_err(CE_WARN
, "Illegal crypto options (%d)",
2658 if (!CR_IVUSAGE_OK(ci
->ivec_usage
)) {
2659 cmn_err(CE_WARN
, "Illegal ivec usage value (%d)",
2664 cd
->method
= ci
->crypto_method
;
2667 if (ci
->keylen
> 0) {
2668 if (cd
->key
!= NULL
) {
2669 kmem_free(cd
->key
, cd
->keylen
);
2674 * cd->key holds the copy of the raw key bytes passed in
2675 * from the userland app.
2677 cd
->key
= kmem_alloc((size_t)ci
->keylen
, KM_SLEEP
);
2679 cd
->keylen
= ci
->keylen
;
2680 bcopy(ci
->key
, cd
->key
, (size_t)ci
->keylen
);
2684 * Configure the block size based on the type of cipher.
2686 switch (cd
->method
) {
2687 case CRYPT_METHOD_NONE
:
2690 case CRYPT_METHOD_DES_CFB
:
2691 newblocklen
= DEFAULT_DES_BLOCKLEN
;
2692 cd
->mech_type
= crypto_mech2id(SUN_CKM_DES_ECB
);
2694 case CRYPT_METHOD_DES_CBC_NULL
:
2695 case CRYPT_METHOD_DES_CBC_MD5
:
2696 case CRYPT_METHOD_DES_CBC_CRC
:
2697 newblocklen
= DEFAULT_DES_BLOCKLEN
;
2698 cd
->mech_type
= crypto_mech2id(SUN_CKM_DES_CBC
);
2700 case CRYPT_METHOD_DES3_CBC_SHA1
:
2701 newblocklen
= DEFAULT_DES_BLOCKLEN
;
2702 cd
->mech_type
= crypto_mech2id(SUN_CKM_DES3_CBC
);
2703 /* 3DES always uses the old usage constant */
2704 enc_usage
= RCMDV1_USAGE
;
2705 dec_usage
= RCMDV1_USAGE
;
2707 case CRYPT_METHOD_ARCFOUR_HMAC_MD5
:
2708 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP
:
2710 cd
->mech_type
= crypto_mech2id(SUN_CKM_RC4
);
2712 case CRYPT_METHOD_AES128
:
2713 case CRYPT_METHOD_AES256
:
2714 newblocklen
= DEFAULT_AES_BLOCKLEN
;
2715 cd
->mech_type
= crypto_mech2id(SUN_CKM_AES_ECB
);
2716 enc_usage
= AES_ENCRYPT_USAGE
;
2717 dec_usage
= AES_DECRYPT_USAGE
;
2720 if (cd
->mech_type
== CRYPTO_MECH_INVALID
) {
2721 return (CRYPTO_FAILED
);
2725 * If RC4, initialize the master crypto key used by
2726 * the RC4 algorithm to derive the final encrypt and decrypt keys.
2728 if (cd
->keylen
> 0 && IS_RC4_METHOD(cd
->method
)) {
2730 * cd->ckey is a kernel crypto key structure used as the
2731 * master key in the RC4-HMAC crypto operations.
2733 if (cd
->ckey
== NULL
) {
2734 cd
->ckey
= (crypto_key_t
*)kmem_zalloc(
2735 sizeof (crypto_key_t
), KM_SLEEP
);
2738 cd
->ckey
->ck_format
= CRYPTO_KEY_RAW
;
2739 cd
->ckey
->ck_data
= cd
->key
;
2741 /* key length for EF is measured in bits */
2742 cd
->ckey
->ck_length
= cd
->keylen
* 8;
2746 * cd->block and cd->saveblock are used as temporary storage for
2747 * data that must be carried over between encrypt/decrypt operations
2748 * in some of the "feedback" modes.
2750 if (newblocklen
!= cd
->blocklen
) {
2751 if (cd
->block
!= NULL
) {
2752 kmem_free(cd
->block
, cd
->blocklen
);
2756 if (cd
->saveblock
!= NULL
) {
2757 kmem_free(cd
->saveblock
, cd
->blocklen
);
2758 cd
->saveblock
= NULL
;
2761 cd
->blocklen
= newblocklen
;
2763 cd
->block
= kmem_zalloc((size_t)cd
->blocklen
,
2767 if (cd
->method
== CRYPT_METHOD_DES_CFB
)
2768 cd
->saveblock
= kmem_zalloc(cd
->blocklen
,
2771 cd
->saveblock
= NULL
;
2774 if (ci
->iveclen
!= cd
->ivlen
) {
2775 if (cd
->ivec
!= NULL
) {
2776 kmem_free(cd
->ivec
, cd
->ivlen
);
2779 if (ci
->ivec_usage
!= IVEC_NEVER
&& ci
->iveclen
> 0) {
2780 cd
->ivec
= kmem_zalloc((size_t)ci
->iveclen
,
2782 cd
->ivlen
= ci
->iveclen
;
2788 cd
->option_mask
= ci
->option_mask
;
2791 * Old protocol requires a static 'usage' value for
2792 * deriving keys. Yuk.
2794 if (cd
->option_mask
& CRYPTOPT_RCMD_MODE_V1
) {
2795 enc_usage
= dec_usage
= RCMDV1_USAGE
;
2798 if (cd
->ivlen
> cd
->blocklen
) {
2799 cmn_err(CE_WARN
, "setup_crypto: IV longer than block size");
2804 * If we are using an IVEC "correctly" (i.e. set it once)
2807 if (ci
->ivec_usage
== IVEC_ONETIME
&& cd
->block
!= NULL
)
2808 bcopy(ci
->ivec
, cd
->block
, (size_t)cd
->ivlen
);
2810 cd
->ivec_usage
= ci
->ivec_usage
;
2811 if (cd
->ivec
!= NULL
) {
2812 /* Save the original IVEC in case we need it later */
2813 bcopy(ci
->ivec
, cd
->ivec
, (size_t)cd
->ivlen
);
2816 * Special handling for 3DES-SHA1-HMAC and AES crypto:
2817 * generate derived keys and context templates
2818 * for better performance.
2820 if (cd
->method
== CRYPT_METHOD_DES3_CBC_SHA1
||
2821 IS_AES_METHOD(cd
->method
)) {
2822 crypto_mechanism_t enc_mech
;
2823 crypto_mechanism_t hmac_mech
;
2825 if (cd
->d_encr_key
.ck_data
!= NULL
) {
2826 bzero(cd
->d_encr_key
.ck_data
, cd
->keylen
);
2827 kmem_free(cd
->d_encr_key
.ck_data
, cd
->keylen
);
2830 if (cd
->d_hmac_key
.ck_data
!= NULL
) {
2831 bzero(cd
->d_hmac_key
.ck_data
, cd
->keylen
);
2832 kmem_free(cd
->d_hmac_key
.ck_data
, cd
->keylen
);
2835 if (cd
->enc_tmpl
!= NULL
)
2836 (void) crypto_destroy_ctx_template(cd
->enc_tmpl
);
2838 if (cd
->hmac_tmpl
!= NULL
)
2839 (void) crypto_destroy_ctx_template(cd
->hmac_tmpl
);
2841 enc_mech
.cm_type
= cd
->mech_type
;
2842 enc_mech
.cm_param
= cd
->ivec
;
2843 enc_mech
.cm_param_len
= cd
->ivlen
;
2845 hmac_mech
.cm_type
= sha1_hmac_mech
;
2846 hmac_mech
.cm_param
= NULL
;
2847 hmac_mech
.cm_param_len
= 0;
2850 * Create the derived keys.
2852 rv
= create_derived_keys(cd
,
2853 (encrypt
? enc_usage
: dec_usage
),
2854 &cd
->d_encr_key
, &cd
->d_hmac_key
);
2856 if (rv
!= CRYPTO_SUCCESS
) {
2857 cmn_err(CE_WARN
, "failed to create derived "
2859 return (CRYPTO_FAILED
);
2862 rv
= crypto_create_ctx_template(&enc_mech
,
2864 &cd
->enc_tmpl
, KM_SLEEP
);
2865 if (rv
== CRYPTO_MECH_NOT_SUPPORTED
) {
2866 cd
->enc_tmpl
= NULL
;
2867 } else if (rv
!= CRYPTO_SUCCESS
) {
2868 cmn_err(CE_WARN
, "failed to create enc template "
2869 "for d_encr_key: %0x", rv
);
2870 return (CRYPTO_FAILED
);
2873 rv
= crypto_create_ctx_template(&hmac_mech
,
2875 &cd
->hmac_tmpl
, KM_SLEEP
);
2876 if (rv
== CRYPTO_MECH_NOT_SUPPORTED
) {
2877 cd
->hmac_tmpl
= NULL
;
2878 } else if (rv
!= CRYPTO_SUCCESS
) {
2879 cmn_err(CE_WARN
, "failed to create hmac template:"
2881 return (CRYPTO_FAILED
);
2883 } else if (IS_RC4_METHOD(cd
->method
)) {
2884 bzero(&cd
->d_encr_key
, sizeof (crypto_key_t
));
2885 bzero(&cd
->d_hmac_key
, sizeof (crypto_key_t
));
2887 cd
->enc_tmpl
= NULL
;
2888 cd
->hmac_tmpl
= NULL
;
2891 /* Final sanity checks, make sure no fields are NULL */
2892 if (cd
->method
!= CRYPT_METHOD_NONE
) {
2893 if (cd
->block
== NULL
&& cd
->blocklen
> 0) {
2896 "setup_crypto: IV block not allocated");
2900 if (cd
->key
== NULL
&& cd
->keylen
> 0) {
2903 "setup_crypto: key block not allocated");
2907 if (cd
->method
== CRYPT_METHOD_DES_CFB
&&
2908 cd
->saveblock
== NULL
&& cd
->blocklen
> 0) {
2911 "setup_crypto: save block not allocated");
2915 if (cd
->ivec
== NULL
&& cd
->ivlen
> 0) {
2918 "setup_crypto: IV not allocated");
2927 * RCMDS require a 4 byte, clear text
2928 * length field before each message.
2932 mklenmp(mblk_t
*bp
, uint32_t len
)
2937 if (bp
->b_rptr
- 4 < DB_BASE(bp
) || DB_REF(bp
) > 1) {
2938 lenmp
= allocb(4, BPRI_MED
);
2939 if (lenmp
!= NULL
) {
2940 lenmp
->b_rptr
= lenmp
->b_wptr
= DB_LIM(lenmp
);
2957 encrypt_block(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
, size_t plainlen
)
2965 uint32_t ptlen
= (uint32_t)plainlen
;
2967 * If we are using the "NEW" RCMD mode,
2968 * add 4 bytes to the plaintext for the
2969 * plaintext length that gets prepended
2970 * before encrypting.
2972 if (tmi
->enc_data
.option_mask
& CRYPTOPT_RCMD_MODE_V2
)
2975 cipherlen
= encrypt_size(&tmi
->enc_data
, (size_t)ptlen
);
2978 * if we must allocb, then make sure its enough
2979 * to hold the length field so we dont have to allocb
2980 * again down below in 'mklenmp'
2982 if (ANY_RCMD_MODE(tmi
->enc_data
.option_mask
)) {
2983 extra
= sizeof (uint32_t);
2987 * Calculate how much space is needed in front of
2990 headspace
= plaintext_offset(&tmi
->enc_data
);
2993 * If the current block is too small, reallocate
2994 * one large enough to hold the hdr, tail, and
2997 if ((cipherlen
+ extra
>= MBLKSIZE(mp
)) || DB_REF(mp
) > 1) {
2998 int sz
= P2ROUNDUP(cipherlen
+extra
, 8);
3000 cbp
= allocb_tmpl(sz
, mp
);
3003 "allocb (%d bytes) failed", sz
);
3007 cbp
->b_cont
= mp
->b_cont
;
3010 * headspace includes the length fields needed
3011 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
3013 ASSERT(cbp
->b_rptr
+ P2ROUNDUP(plainlen
+headspace
, 8)
3016 cbp
->b_rptr
= DB_BASE(cbp
) + headspace
;
3017 bcopy(mp
->b_rptr
, cbp
->b_rptr
, plainlen
);
3018 cbp
->b_wptr
= cbp
->b_rptr
+ plainlen
;
3026 * Some ciphers add HMAC after the final block
3027 * of the ciphertext, not at the beginning like the
3030 if (tmi
->enc_data
.method
==
3031 CRYPT_METHOD_DES3_CBC_SHA1
||
3032 IS_AES_METHOD(tmi
->enc_data
.method
)) {
3033 extra
= sha1_hash
.hash_len
;
3037 * Make sure the rptr is positioned correctly so that
3038 * routines later do not have to shift this data around
3040 if ((cbp
->b_rptr
+ P2ROUNDUP(cipherlen
+ extra
, 8) >
3042 (cbp
->b_rptr
- headspace
< DB_BASE(cbp
))) {
3043 ovbcopy(cbp
->b_rptr
, DB_BASE(cbp
) + headspace
,
3045 cbp
->b_rptr
= DB_BASE(cbp
) + headspace
;
3046 cbp
->b_wptr
= cbp
->b_rptr
+ plainlen
;
3050 ASSERT(cbp
->b_rptr
- headspace
>= DB_BASE(cbp
));
3051 ASSERT(cbp
->b_wptr
<= DB_LIM(cbp
));
3054 * If using RCMD_MODE_V2 (new rcmd mode), prepend
3055 * the plaintext length before the actual plaintext.
3057 if (tmi
->enc_data
.option_mask
& CRYPTOPT_RCMD_MODE_V2
) {
3058 cbp
->b_rptr
-= RCMD_LEN_SZ
;
3060 /* put plaintext length at head of buffer */
3061 *(cbp
->b_rptr
+ 3) = (uchar_t
)(plainlen
& 0xff);
3062 *(cbp
->b_rptr
+ 2) = (uchar_t
)((plainlen
>> 8) & 0xff);
3063 *(cbp
->b_rptr
+ 1) = (uchar_t
)((plainlen
>> 16) & 0xff);
3064 *(cbp
->b_rptr
) = (uchar_t
)((plainlen
>> 24) & 0xff);
3067 newmp
= do_encrypt(q
, cbp
);
3069 if (newmp
!= NULL
&&
3070 (tmi
->enc_data
.option_mask
&
3071 (CRYPTOPT_RCMD_MODE_V1
| CRYPTOPT_RCMD_MODE_V2
))) {
3074 * Add length field, required when this is
3075 * used to encrypt "r*" commands(rlogin, rsh)
3078 lp
= mklenmp(newmp
, plainlen
);
3093 * encrypt a single message. This routine adds the
3094 * RCMD overhead bytes when necessary.
3097 encrypt_msgb(queue_t
*q
, struct tmodinfo
*tmi
, mblk_t
*mp
)
3099 size_t plainlen
, outlen
;
3100 mblk_t
*newmp
= NULL
;
3102 /* If not encrypting, do nothing */
3103 if (tmi
->enc_data
.method
== CRYPT_METHOD_NONE
) {
3107 plainlen
= MBLKL(mp
);
3112 * If the block is too big, we encrypt in 4K chunks so that
3113 * older rlogin clients do not choke on the larger buffers.
3115 while ((plainlen
= MBLKL(mp
)) > MSGBUF_SIZE
) {
3117 outlen
= MSGBUF_SIZE
;
3119 * Allocate a new buffer that is only 4K bytes, the
3120 * extra bytes are for crypto overhead.
3122 mp1
= allocb(outlen
+ CONFOUNDER_BYTES
, BPRI_MED
);
3125 "allocb (%d bytes) failed",
3126 (int)(outlen
+ CONFOUNDER_BYTES
));
3129 /* Copy the next 4K bytes from the old block. */
3130 bcopy(mp
->b_rptr
, mp1
->b_rptr
, outlen
);
3131 mp1
->b_wptr
= mp1
->b_rptr
+ outlen
;
3132 /* Advance the old block. */
3133 mp
->b_rptr
+= outlen
;
3135 /* encrypt the new block */
3136 newmp
= encrypt_block(q
, tmi
, mp1
, outlen
);
3143 /* If there is data left (< MSGBUF_SIZE), encrypt it. */
3144 if ((plainlen
= MBLKL(mp
)) > 0)
3145 newmp
= encrypt_block(q
, tmi
, mp
, plainlen
);
3153 * Service routine for the write queue.
3155 * Because data may be placed in the queue to hold between
3156 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
3159 cryptmodwsrv(queue_t
*q
)
3162 struct tmodinfo
*tmi
= (struct tmodinfo
*)q
->q_ptr
;
3164 while ((mp
= getq(q
)) != NULL
) {
3165 switch (mp
->b_datap
->db_type
) {
3168 * wput does not queue anything > QPCTL
3170 if (!canputnext(q
) ||
3171 !(tmi
->ready
& CRYPT_WRITE_READY
)) {
3172 if (!putbq(q
, mp
)) {
3180 if (canputnext(q
) && (tmi
->ready
& CRYPT_WRITE_READY
)) {
3182 mblk_t
*newmsg
= NULL
;
3185 * If multiple msgs, concat into 1
3186 * to minimize crypto operations later.
3188 if (mp
->b_cont
!= NULL
) {
3189 bp
= msgpullup(mp
, -1);
3195 newmsg
= encrypt_msgb(q
, tmi
, mp
);
3199 if (!putbq(q
, mp
)) {
3211 start_stream(queue_t
*wq
, mblk_t
*mp
, uchar_t dir
)
3213 mblk_t
*newmp
= NULL
;
3214 struct tmodinfo
*tmi
= (struct tmodinfo
*)wq
->q_ptr
;
3216 if (dir
== CRYPT_ENCRYPT
) {
3217 tmi
->ready
|= CRYPT_WRITE_READY
;
3218 (void) (STRLOG(CRYPTMOD_ID
, 0, 5, SL_TRACE
|SL_NOTE
,
3219 "start_stream: restart ENCRYPT/WRITE q"));
3223 } else if (dir
== CRYPT_DECRYPT
) {
3225 * put any extra data in the RD
3226 * queue to be processed and
3232 tmi
->ready
|= CRYPT_READ_READY
;
3233 (void) (STRLOG(CRYPTMOD_ID
, 0, 5,
3235 "start_stream: restart "
3239 if (!putbq(RD(wq
), newmp
))
3246 miocack(wq
, mp
, 0, 0);
3250 * Write-side put procedure. Its main task is to detect ioctls and
3251 * FLUSH operations. Other message types are passed on through.
3254 cryptmodwput(queue_t
*wq
, mblk_t
*mp
)
3256 struct iocblk
*iocp
;
3257 struct tmodinfo
*tmi
= (struct tmodinfo
*)wq
->q_ptr
;
3260 switch (mp
->b_datap
->db_type
) {
3262 if (wq
->q_first
== NULL
&& canputnext(wq
) &&
3263 (tmi
->ready
& CRYPT_WRITE_READY
) &&
3264 tmi
->enc_data
.method
== CRYPT_METHOD_NONE
) {
3268 /* else, put it in the service queue */
3269 if (!putq(wq
, mp
)) {
3274 if (*mp
->b_rptr
& FLUSHW
) {
3275 flushq(wq
, FLUSHDATA
);
3280 iocp
= (struct iocblk
*)mp
->b_rptr
;
3281 switch (iocp
->ioc_cmd
) {
3284 (void) (STRLOG(CRYPTMOD_ID
, 0, 5,
3286 "wput: got CRYPTIOCSETUP "
3287 "ioctl(%d)", iocp
->ioc_cmd
));
3289 if ((err
= miocpullup(mp
,
3290 sizeof (struct cr_info_t
))) != 0) {
3292 "wput: miocpullup failed for cr_info_t");
3293 miocnak(wq
, mp
, 0, err
);
3295 struct cr_info_t
*ci
;
3296 ci
= (struct cr_info_t
*)mp
->b_cont
->b_rptr
;
3298 if (ci
->direction_mask
& CRYPT_ENCRYPT
) {
3299 ret
= setup_crypto(ci
, &tmi
->enc_data
, 1);
3303 (ci
->direction_mask
& CRYPT_DECRYPT
)) {
3304 ret
= setup_crypto(ci
, &tmi
->dec_data
, 0);
3307 (ci
->direction_mask
& CRYPT_DECRYPT
) &&
3308 ANY_RCMD_MODE(tmi
->dec_data
.option_mask
)) {
3309 bzero(&tmi
->rcmd_state
,
3310 sizeof (tmi
->rcmd_state
));
3313 miocack(wq
, mp
, 0, 0);
3316 "wput: setup_crypto failed");
3317 miocnak(wq
, mp
, 0, ret
);
3319 (void) (STRLOG(CRYPTMOD_ID
, 0, 5,
3321 "wput: done with SETUP "
3326 (void) (STRLOG(CRYPTMOD_ID
, 0, 5,
3328 "wput: got CRYPTIOCSTOP "
3329 "ioctl(%d)", iocp
->ioc_cmd
));
3331 if ((err
= miocpullup(mp
, sizeof (uint32_t))) != 0) {
3333 "wput: CRYPTIOCSTOP ioctl wrong "
3334 "size (%d should be %d)",
3335 (int)iocp
->ioc_count
,
3336 (int)sizeof (uint32_t));
3337 miocnak(wq
, mp
, 0, err
);
3341 stopdir
= (uint32_t *)mp
->b_cont
->b_rptr
;
3342 if (!CR_DIRECTION_OK(*stopdir
)) {
3343 miocnak(wq
, mp
, 0, EINVAL
);
3347 /* disable the queues until further notice */
3348 if (*stopdir
& CRYPT_ENCRYPT
) {
3350 tmi
->ready
&= ~CRYPT_WRITE_READY
;
3352 if (*stopdir
& CRYPT_DECRYPT
) {
3354 tmi
->ready
&= ~CRYPT_READ_READY
;
3357 miocack(wq
, mp
, 0, 0);
3360 case CRYPTIOCSTARTDEC
:
3361 (void) (STRLOG(CRYPTMOD_ID
, 0, 5,
3363 "wput: got CRYPTIOCSTARTDEC "
3364 "ioctl(%d)", iocp
->ioc_cmd
));
3366 start_stream(wq
, mp
, CRYPT_DECRYPT
);
3368 case CRYPTIOCSTARTENC
:
3369 (void) (STRLOG(CRYPTMOD_ID
, 0, 5,
3371 "wput: got CRYPTIOCSTARTENC "
3372 "ioctl(%d)", iocp
->ioc_cmd
));
3374 start_stream(wq
, mp
, CRYPT_ENCRYPT
);
3382 if (queclass(mp
) < QPCTL
) {
3383 if (wq
->q_first
!= NULL
|| !canputnext(wq
)) {
3395 * decrypt_rcmd_mblks
3397 * Because kerberized r* commands(rsh, rlogin, etc)
3398 * use a 4 byte length field to indicate the # of
3399 * PLAINTEXT bytes that are encrypted in the field
3400 * that follows, we must parse out each message and
3401 * break out the length fields prior to sending them
3402 * upstream to our Solaris r* clients/servers which do
3403 * NOT understand this format.
3405 * Kerberized/encrypted message format:
3406 * -------------------------------
3407 * | XXXX | N bytes of ciphertext|
3408 * -------------------------------
3410 * Where: XXXX = number of plaintext bytes that were encrypted in
3411 * to make the ciphertext field. This is done
3412 * because we are using a cipher that pads out to
3413 * an 8 byte boundary. We only want the application
3414 * layer to see the correct number of plain text bytes,
3415 * not plaintext + pad. So, after we decrypt, we
3416 * must trim the output block down to the intended
3417 * plaintext length and eliminate the pad bytes.
3419 * This routine takes the entire input message, breaks it into
3420 * a new message that does not contain these length fields and
3421 * returns a message consisting of mblks filled with just ciphertext.
3425 decrypt_rcmd_mblks(queue_t
*q
, mblk_t
*mp
)
3427 mblk_t
*newmp
= NULL
;
3429 struct tmodinfo
*tmi
= (struct tmodinfo
*)q
->q_ptr
;
3431 msglen
= msgsize(mp
);
3434 * If we need the length field, get it here.
3435 * Test the "plaintext length" indicator.
3437 if (tmi
->rcmd_state
.pt_len
== 0) {
3443 * Make sure we have recieved all 4 bytes of the
3446 while (mp
!= NULL
) {
3447 ASSERT(tmi
->rcmd_state
.cd_len
< sizeof (uint32_t));
3449 tocopy
= sizeof (uint32_t) -
3450 tmi
->rcmd_state
.cd_len
;
3451 if (tocopy
> msglen
)
3454 ASSERT(mp
->b_rptr
+ tocopy
<= DB_LIM(mp
));
3456 (char *)(&tmi
->rcmd_state
.next_len
+
3457 tmi
->rcmd_state
.cd_len
), tocopy
);
3459 tmi
->rcmd_state
.cd_len
+= tocopy
;
3461 if (tmi
->rcmd_state
.cd_len
>= sizeof (uint32_t)) {
3462 tmi
->rcmd_state
.next_len
=
3463 ntohl(tmi
->rcmd_state
.next_len
);
3477 * recalculate the msglen now that we've read the
3478 * length and adjusted the bufptr (b_rptr).
3481 mp
->b_rptr
+= tocopy
;
3483 tmi
->rcmd_state
.pt_len
= tmi
->rcmd_state
.next_len
;
3485 if (tmi
->rcmd_state
.pt_len
<= 0) {
3487 * Return an IO error to break the connection. there
3488 * is no way to recover from this. Usually it means
3489 * the app has incorrectly requested decryption on
3490 * a non-encrypted stream, thus the "pt_len" field
3493 mp
->b_datap
->db_type
= M_ERROR
;
3494 mp
->b_rptr
= mp
->b_datap
->db_base
;
3496 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
3498 freemsg(mp
->b_cont
);
3501 tmi
->rcmd_state
.cd_len
= tmi
->rcmd_state
.pt_len
= 0;
3506 * If this is V2 mode, then the encrypted data is actually
3507 * 4 bytes bigger than the indicated len because the plaintext
3508 * length is encrypted for an additional security check, but
3509 * its not counted as part of the overall length we just read.
3510 * Strange and confusing, but true.
3513 if (tmi
->dec_data
.option_mask
& CRYPTOPT_RCMD_MODE_V2
)
3514 elen
= tmi
->rcmd_state
.pt_len
+ 4;
3516 elen
= tmi
->rcmd_state
.pt_len
;
3518 tmi
->rcmd_state
.cd_len
= encrypt_size(&tmi
->dec_data
, elen
);
3521 * Allocate an mblk to hold the cipher text until it is
3522 * all ready to be processed.
3524 tmi
->rcmd_state
.c_msg
= allocb(tmi
->rcmd_state
.cd_len
,
3526 if (tmi
->rcmd_state
.c_msg
== NULL
) {
3528 cmn_err(CE_WARN
, "decrypt_rcmd_msgb: allocb failed "
3530 (int)tmi
->rcmd_state
.cd_len
);
3533 * Return an IO error to break the connection.
3535 mp
->b_datap
->db_type
= M_ERROR
;
3536 mp
->b_rptr
= mp
->b_datap
->db_base
;
3538 mp
->b_wptr
= mp
->b_rptr
+ sizeof (char);
3539 freemsg(mp
->b_cont
);
3541 tmi
->rcmd_state
.cd_len
= tmi
->rcmd_state
.pt_len
= 0;
3548 * If this entire message was just the length field,
3549 * free and return. The actual data will probably be next.
3557 * Copy as much of the cipher text as possible into
3558 * the new msgb (c_msg).
3560 * Logic: if we got some bytes (msglen) and we still
3561 * "need" some bytes (len-rcvd), get them here.
3563 ASSERT(tmi
->rcmd_state
.c_msg
!= NULL
);
3565 (tmi
->rcmd_state
.cd_len
> MBLKL(tmi
->rcmd_state
.c_msg
))) {
3570 * Walk the mblks and copy just as many bytes as we need
3571 * for this particular block of cipher text.
3574 while (bp
!= NULL
) {
3579 needed
= tmi
->rcmd_state
.cd_len
-
3580 MBLKL(tmi
->rcmd_state
.c_msg
);
3582 tocopy
= (needed
>= n
? n
: needed
);
3584 ASSERT(bp
->b_rptr
+ tocopy
<= DB_LIM(bp
));
3585 ASSERT(tmi
->rcmd_state
.c_msg
->b_wptr
+ tocopy
<=
3586 DB_LIM(tmi
->rcmd_state
.c_msg
));
3588 /* Copy to end of new mblk */
3589 bcopy(bp
->b_rptr
, tmi
->rcmd_state
.c_msg
->b_wptr
,
3592 tmi
->rcmd_state
.c_msg
->b_wptr
+= tocopy
;
3594 bp
->b_rptr
+= tocopy
;
3599 * If we used this whole block, free it and
3607 /* If we got what we needed, stop the loop */
3608 if (MBLKL(tmi
->rcmd_state
.c_msg
) ==
3609 tmi
->rcmd_state
.cd_len
) {
3611 * If there is more data in the message,
3612 * its for another block of cipher text,
3613 * put it back in the queue for next time.
3618 } else if (nextp
!= NULL
) {
3620 * If there is more, put it back in the
3621 * queue for another pass thru.
3623 if (!putbq(q
, nextp
))
3632 * Finally, if we received all the cipher text data for
3633 * this message, decrypt it into a new msg and send it up
3636 if (tmi
->rcmd_state
.pt_len
> 0 &&
3637 MBLKL(tmi
->rcmd_state
.c_msg
) == tmi
->rcmd_state
.cd_len
) {
3642 * Now we can use our msg that we created when the
3643 * initial message boundary was detected.
3645 bp
= tmi
->rcmd_state
.c_msg
;
3646 tmi
->rcmd_state
.c_msg
= NULL
;
3648 newbp
= do_decrypt(q
, bp
);
3649 if (newbp
!= NULL
) {
3652 * If using RCMD_MODE_V2 ("new" mode),
3653 * look at the 4 byte plaintext length that
3654 * was just decrypted and compare with the
3655 * original pt_len value that was received.
3657 if (tmi
->dec_data
.option_mask
&
3658 CRYPTOPT_RCMD_MODE_V2
) {
3661 pt_len2
= *(uint32_t *)bp
->b_rptr
;
3662 pt_len2
= ntohl(pt_len2
);
3664 * Make sure the 2 pt len fields agree.
3666 if (pt_len2
!= tmi
->rcmd_state
.pt_len
) {
3668 "Inconsistent length fields"
3669 " received %d != %d",
3670 (int)tmi
->rcmd_state
.pt_len
,
3672 bp
->b_datap
->db_type
= M_ERROR
;
3673 bp
->b_rptr
= bp
->b_datap
->db_base
;
3675 bp
->b_wptr
= bp
->b_rptr
+ sizeof (char);
3676 freemsg(bp
->b_cont
);
3678 tmi
->rcmd_state
.cd_len
= 0;
3682 bp
->b_rptr
+= sizeof (uint32_t);
3686 * Trim the decrypted block the length originally
3687 * indicated by the sender. This is to remove any
3688 * padding bytes that the sender added to satisfy
3689 * requirements of the crypto algorithm.
3691 bp
->b_wptr
= bp
->b_rptr
+ tmi
->rcmd_state
.pt_len
;
3696 * Reset our state to indicate we are ready
3697 * for a new message.
3699 tmi
->rcmd_state
.pt_len
= 0;
3700 tmi
->rcmd_state
.cd_len
= 0;
3704 "decrypt_rcmd: do_decrypt on %d bytes failed",
3705 (int)tmi
->rcmd_state
.cd_len
);
3708 * do_decrypt already handled failures, just
3711 tmi
->rcmd_state
.pt_len
= 0;
3712 tmi
->rcmd_state
.cd_len
= 0;
3718 * return the new message with the 'length' fields removed
3726 * Read queue service routine
3727 * Necessary because if the ready flag is not set
3728 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data
3729 * must remain on queue and not be passed along.
3732 cryptmodrsrv(queue_t
*q
)
3735 struct tmodinfo
*tmi
= (struct tmodinfo
*)q
->q_ptr
;
3737 while ((mp
= getq(q
)) != NULL
) {
3738 switch (mp
->b_datap
->db_type
) {
3740 if (canputnext(q
) && tmi
->ready
& CRYPT_READ_READY
) {
3742 * Process "rcmd" messages differently because
3743 * they contain a 4 byte plaintext length
3744 * id that needs to be removed.
3746 if (tmi
->dec_data
.method
!= CRYPT_METHOD_NONE
&&
3747 (tmi
->dec_data
.option_mask
&
3748 (CRYPTOPT_RCMD_MODE_V1
|
3749 CRYPTOPT_RCMD_MODE_V2
))) {
3750 mp
= decrypt_rcmd_mblks(q
, mp
);
3755 if ((bp
= msgpullup(mp
, -1)) != NULL
) {
3757 if (MBLKL(bp
) > 0) {
3758 mp
= do_decrypt(q
, bp
);
3764 if (!putbq(q
, mp
)) {
3772 * rput does not queue anything > QPCTL, so we don't
3773 * need to check for it here.
3775 if (!canputnext(q
)) {
3789 * Read-side put procedure.
3792 cryptmodrput(queue_t
*rq
, mblk_t
*mp
)
3794 switch (mp
->b_datap
->db_type
) {
3796 if (!putq(rq
, mp
)) {
3801 if (*mp
->b_rptr
& FLUSHR
) {
3802 flushq(rq
, FLUSHALL
);
3807 if (queclass(mp
) < QPCTL
) {
3808 if (rq
->q_first
!= NULL
|| !canputnext(rq
)) {