4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include <sys/zfs_context.h>
27 #include <modes/modes.h>
28 #include <sys/crypto/common.h>
29 #include <sys/crypto/impl.h>
31 #ifdef HAVE_EFFICIENT_UNALIGNED_ACCESS
32 #include <sys/byteorder.h>
33 #define UNALIGNED_POINTERS_PERMITTED
37 * Encrypt multiple blocks of data in CCM mode. Decrypt for CCM mode
38 * is done in another function.
41 ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length,
42 crypto_data_t *out, size_t block_size,
43 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
44 void (*copy_block)(uint8_t *, uint8_t *),
45 void (*xor_block)(uint8_t *, uint8_t *))
47 size_t remainder = length;
49 uint8_t *datap = (uint8_t *)data;
56 size_t out_data_1_len;
60 if (length + ctx->ccm_remainder_len < block_size) {
61 /* accumulate bytes here and return */
63 (uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len,
65 ctx->ccm_remainder_len += length;
66 ctx->ccm_copy_to = datap;
67 return (CRYPTO_SUCCESS);
70 lastp = (uint8_t *)ctx->ccm_cb;
72 crypto_init_ptrs(out, &iov_or_mp, &offset);
74 mac_buf = (uint8_t *)ctx->ccm_mac_buf;
77 /* Unprocessed data from last call. */
78 if (ctx->ccm_remainder_len > 0) {
79 need = block_size - ctx->ccm_remainder_len;
82 return (CRYPTO_DATA_LEN_RANGE);
84 bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
85 [ctx->ccm_remainder_len], need);
87 blockp = (uint8_t *)ctx->ccm_remainder;
95 * XOR the previous cipher block current clear block.
96 * mac_buf always contain previous cipher block.
98 xor_block(blockp, mac_buf);
99 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
101 /* ccm_cb is the counter block */
102 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb,
103 (uint8_t *)ctx->ccm_tmp);
105 lastp = (uint8_t *)ctx->ccm_tmp;
108 * Increment counter. Counter bits are confined
109 * to the bottom 64 bits of the counter block.
111 #ifdef _LITTLE_ENDIAN
112 counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask);
113 counter = htonll(counter + 1);
115 counter = ctx->ccm_cb[1] & ctx->ccm_counter_mask;
117 #endif /* _LITTLE_ENDIAN */
118 counter &= ctx->ccm_counter_mask;
120 (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
123 * XOR encrypted counter block with the current clear block.
125 xor_block(blockp, lastp);
127 ctx->ccm_processed_data_len += block_size;
130 if (ctx->ccm_remainder_len > 0) {
131 bcopy(blockp, ctx->ccm_copy_to,
132 ctx->ccm_remainder_len);
133 bcopy(blockp + ctx->ccm_remainder_len, datap,
137 crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
138 &out_data_1_len, &out_data_2, block_size);
140 /* copy block to where it belongs */
141 if (out_data_1_len == block_size) {
142 copy_block(lastp, out_data_1);
144 bcopy(lastp, out_data_1, out_data_1_len);
145 if (out_data_2 != NULL) {
146 bcopy(lastp + out_data_1_len,
148 block_size - out_data_1_len);
152 out->cd_offset += block_size;
155 /* Update pointer to next block of data to be processed. */
156 if (ctx->ccm_remainder_len != 0) {
158 ctx->ccm_remainder_len = 0;
163 remainder = (size_t)&data[length] - (size_t)datap;
165 /* Incomplete last block. */
166 if (remainder > 0 && remainder < block_size) {
167 bcopy(datap, ctx->ccm_remainder, remainder);
168 ctx->ccm_remainder_len = remainder;
169 ctx->ccm_copy_to = datap;
172 ctx->ccm_copy_to = NULL;
174 } while (remainder > 0);
177 return (CRYPTO_SUCCESS);
181 calculate_ccm_mac(ccm_ctx_t *ctx, uint8_t *ccm_mac,
182 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *))
185 uint8_t *counterp, *mac_buf;
188 mac_buf = (uint8_t *)ctx->ccm_mac_buf;
190 /* first counter block start with index 0 */
192 ctx->ccm_cb[1] = (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
194 counterp = (uint8_t *)ctx->ccm_tmp;
195 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp);
197 /* calculate XOR of MAC with first counter block */
198 for (i = 0; i < ctx->ccm_mac_len; i++) {
199 ccm_mac[i] = mac_buf[i] ^ counterp[i];
205 ccm_encrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
206 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
207 void (*xor_block)(uint8_t *, uint8_t *))
209 uint8_t *lastp, *mac_buf, *ccm_mac_p, *macp = NULL;
214 size_t out_data_1_len;
217 if (out->cd_length < (ctx->ccm_remainder_len + ctx->ccm_mac_len)) {
218 return (CRYPTO_DATA_LEN_RANGE);
222 * When we get here, the number of bytes of payload processed
223 * plus whatever data remains, if any,
224 * should be the same as the number of bytes that's being
225 * passed in the argument during init time.
227 if ((ctx->ccm_processed_data_len + ctx->ccm_remainder_len)
228 != (ctx->ccm_data_len)) {
229 return (CRYPTO_DATA_LEN_RANGE);
232 mac_buf = (uint8_t *)ctx->ccm_mac_buf;
234 if (ctx->ccm_remainder_len > 0) {
236 /* ccm_mac_input_buf is not used for encryption */
237 macp = (uint8_t *)ctx->ccm_mac_input_buf;
238 bzero(macp, block_size);
240 /* copy remainder to temporary buffer */
241 bcopy(ctx->ccm_remainder, macp, ctx->ccm_remainder_len);
243 /* calculate the CBC MAC */
244 xor_block(macp, mac_buf);
245 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
247 /* calculate the counter mode */
248 lastp = (uint8_t *)ctx->ccm_tmp;
249 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, lastp);
251 /* XOR with counter block */
252 for (i = 0; i < ctx->ccm_remainder_len; i++) {
255 ctx->ccm_processed_data_len += ctx->ccm_remainder_len;
258 /* Calculate the CCM MAC */
259 ccm_mac_p = (uint8_t *)ctx->ccm_tmp;
260 calculate_ccm_mac(ctx, ccm_mac_p, encrypt_block);
262 crypto_init_ptrs(out, &iov_or_mp, &offset);
263 crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
264 &out_data_1_len, &out_data_2,
265 ctx->ccm_remainder_len + ctx->ccm_mac_len);
267 if (ctx->ccm_remainder_len > 0) {
269 /* copy temporary block to where it belongs */
270 if (out_data_2 == NULL) {
271 /* everything will fit in out_data_1 */
272 bcopy(macp, out_data_1, ctx->ccm_remainder_len);
273 bcopy(ccm_mac_p, out_data_1 + ctx->ccm_remainder_len,
277 if (out_data_1_len < ctx->ccm_remainder_len) {
279 size_t data_2_len_used;
281 bcopy(macp, out_data_1, out_data_1_len);
283 data_2_len_used = ctx->ccm_remainder_len
286 bcopy((uint8_t *)macp + out_data_1_len,
287 out_data_2, data_2_len_used);
288 bcopy(ccm_mac_p, out_data_2 + data_2_len_used,
291 bcopy(macp, out_data_1, out_data_1_len);
292 if (out_data_1_len == ctx->ccm_remainder_len) {
293 /* mac will be in out_data_2 */
294 bcopy(ccm_mac_p, out_data_2,
297 size_t len_not_used = out_data_1_len -
298 ctx->ccm_remainder_len;
300 * part of mac in will be in
301 * out_data_1, part of the mac will be
305 out_data_1 + ctx->ccm_remainder_len,
307 bcopy(ccm_mac_p + len_not_used,
309 ctx->ccm_mac_len - len_not_used);
315 /* copy block to where it belongs */
316 bcopy(ccm_mac_p, out_data_1, out_data_1_len);
317 if (out_data_2 != NULL) {
318 bcopy(ccm_mac_p + out_data_1_len, out_data_2,
319 block_size - out_data_1_len);
322 out->cd_offset += ctx->ccm_remainder_len + ctx->ccm_mac_len;
323 ctx->ccm_remainder_len = 0;
324 return (CRYPTO_SUCCESS);
328 * This will only deal with decrypting the last block of the input that
329 * might not be a multiple of block length.
332 ccm_decrypt_incomplete_block(ccm_ctx_t *ctx,
333 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *))
335 uint8_t *datap, *outp, *counterp;
338 datap = (uint8_t *)ctx->ccm_remainder;
339 outp = &((ctx->ccm_pt_buf)[ctx->ccm_processed_data_len]);
341 counterp = (uint8_t *)ctx->ccm_tmp;
342 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp);
344 /* XOR with counter block */
345 for (i = 0; i < ctx->ccm_remainder_len; i++) {
346 outp[i] = datap[i] ^ counterp[i];
351 * This will decrypt the cipher text. However, the plaintext won't be
352 * returned to the caller. It will be returned when decrypt_final() is
353 * called if the MAC matches
357 ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length,
358 crypto_data_t *out, size_t block_size,
359 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
360 void (*copy_block)(uint8_t *, uint8_t *),
361 void (*xor_block)(uint8_t *, uint8_t *))
363 size_t remainder = length;
365 uint8_t *datap = (uint8_t *)data;
369 size_t pt_len, total_decrypted_len, mac_len, pm_len, pd_len;
373 pm_len = ctx->ccm_processed_mac_len;
378 * all ciphertext has been processed, just waiting for
379 * part of the value of the mac
381 if ((pm_len + length) > ctx->ccm_mac_len) {
382 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
384 tmp = (uint8_t *)ctx->ccm_mac_input_buf;
386 bcopy(datap, tmp + pm_len, length);
388 ctx->ccm_processed_mac_len += length;
389 return (CRYPTO_SUCCESS);
393 * If we decrypt the given data, what total amount of data would
394 * have been decrypted?
396 pd_len = ctx->ccm_processed_data_len;
397 total_decrypted_len = pd_len + length + ctx->ccm_remainder_len;
399 if (total_decrypted_len >
400 (ctx->ccm_data_len + ctx->ccm_mac_len)) {
401 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
404 pt_len = ctx->ccm_data_len;
406 if (total_decrypted_len > pt_len) {
408 * part of the input will be the MAC, need to isolate that
409 * to be dealt with later. The left-over data in
410 * ccm_remainder_len from last time will not be part of the
411 * MAC. Otherwise, it would have already been taken out
412 * when this call is made last time.
414 size_t pt_part = pt_len - pd_len - ctx->ccm_remainder_len;
416 mac_len = length - pt_part;
418 ctx->ccm_processed_mac_len = mac_len;
419 bcopy(data + pt_part, ctx->ccm_mac_input_buf, mac_len);
421 if (pt_part + ctx->ccm_remainder_len < block_size) {
423 * since this is last of the ciphertext, will
424 * just decrypt with it here
426 bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
427 [ctx->ccm_remainder_len], pt_part);
428 ctx->ccm_remainder_len += pt_part;
429 ccm_decrypt_incomplete_block(ctx, encrypt_block);
430 ctx->ccm_processed_data_len += ctx->ccm_remainder_len;
431 ctx->ccm_remainder_len = 0;
432 return (CRYPTO_SUCCESS);
434 /* let rest of the code handle this */
437 } else if (length + ctx->ccm_remainder_len < block_size) {
438 /* accumulate bytes here and return */
440 (uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len,
442 ctx->ccm_remainder_len += length;
443 ctx->ccm_copy_to = datap;
444 return (CRYPTO_SUCCESS);
448 /* Unprocessed data from last call. */
449 if (ctx->ccm_remainder_len > 0) {
450 need = block_size - ctx->ccm_remainder_len;
452 if (need > remainder)
453 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
455 bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
456 [ctx->ccm_remainder_len], need);
458 blockp = (uint8_t *)ctx->ccm_remainder;
463 /* Calculate the counter mode, ccm_cb is the counter block */
464 cbp = (uint8_t *)ctx->ccm_tmp;
465 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, cbp);
469 * Counter bits are confined to the bottom 64 bits
471 #ifdef _LITTLE_ENDIAN
472 counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask);
473 counter = htonll(counter + 1);
475 counter = ctx->ccm_cb[1] & ctx->ccm_counter_mask;
477 #endif /* _LITTLE_ENDIAN */
478 counter &= ctx->ccm_counter_mask;
480 (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
482 /* XOR with the ciphertext */
483 xor_block(blockp, cbp);
485 /* Copy the plaintext to the "holding buffer" */
486 resultp = (uint8_t *)ctx->ccm_pt_buf +
487 ctx->ccm_processed_data_len;
488 copy_block(cbp, resultp);
490 ctx->ccm_processed_data_len += block_size;
492 ctx->ccm_lastp = blockp;
494 /* Update pointer to next block of data to be processed. */
495 if (ctx->ccm_remainder_len != 0) {
497 ctx->ccm_remainder_len = 0;
502 remainder = (size_t)&data[length] - (size_t)datap;
504 /* Incomplete last block */
505 if (remainder > 0 && remainder < block_size) {
506 bcopy(datap, ctx->ccm_remainder, remainder);
507 ctx->ccm_remainder_len = remainder;
508 ctx->ccm_copy_to = datap;
509 if (ctx->ccm_processed_mac_len > 0) {
511 * not expecting anymore ciphertext, just
512 * compute plaintext for the remaining input
514 ccm_decrypt_incomplete_block(ctx,
516 ctx->ccm_processed_data_len += remainder;
517 ctx->ccm_remainder_len = 0;
521 ctx->ccm_copy_to = NULL;
523 } while (remainder > 0);
526 return (CRYPTO_SUCCESS);
530 ccm_decrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
531 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
532 void (*copy_block)(uint8_t *, uint8_t *),
533 void (*xor_block)(uint8_t *, uint8_t *))
535 size_t mac_remain, pt_len;
536 uint8_t *pt, *mac_buf, *macp, *ccm_mac_p;
539 pt_len = ctx->ccm_data_len;
541 /* Make sure output buffer can fit all of the plaintext */
542 if (out->cd_length < pt_len) {
543 return (CRYPTO_DATA_LEN_RANGE);
546 pt = ctx->ccm_pt_buf;
547 mac_remain = ctx->ccm_processed_data_len;
548 mac_buf = (uint8_t *)ctx->ccm_mac_buf;
550 macp = (uint8_t *)ctx->ccm_tmp;
552 while (mac_remain > 0) {
554 if (mac_remain < block_size) {
555 bzero(macp, block_size);
556 bcopy(pt, macp, mac_remain);
559 copy_block(pt, macp);
560 mac_remain -= block_size;
564 /* calculate the CBC MAC */
565 xor_block(macp, mac_buf);
566 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
569 /* Calculate the CCM MAC */
570 ccm_mac_p = (uint8_t *)ctx->ccm_tmp;
571 calculate_ccm_mac((ccm_ctx_t *)ctx, ccm_mac_p, encrypt_block);
573 /* compare the input CCM MAC value with what we calculated */
574 if (bcmp(ctx->ccm_mac_input_buf, ccm_mac_p, ctx->ccm_mac_len)) {
575 /* They don't match */
576 return (CRYPTO_INVALID_MAC);
578 rv = crypto_put_output_data(ctx->ccm_pt_buf, out, pt_len);
579 if (rv != CRYPTO_SUCCESS)
581 out->cd_offset += pt_len;
583 return (CRYPTO_SUCCESS);
587 ccm_validate_args(CK_AES_CCM_PARAMS *ccm_param, boolean_t is_encrypt_init)
589 size_t macSize, nonceSize;
594 * Check the length of the MAC. The only valid
595 * lengths for the MAC are: 4, 6, 8, 10, 12, 14, 16
597 macSize = ccm_param->ulMACSize;
598 if ((macSize < 4) || (macSize > 16) || ((macSize % 2) != 0)) {
599 return (CRYPTO_MECHANISM_PARAM_INVALID);
602 /* Check the nonce length. Valid values are 7, 8, 9, 10, 11, 12, 13 */
603 nonceSize = ccm_param->ulNonceSize;
604 if ((nonceSize < 7) || (nonceSize > 13)) {
605 return (CRYPTO_MECHANISM_PARAM_INVALID);
608 /* q is the length of the field storing the length, in bytes */
609 q = (uint8_t)((15 - nonceSize) & 0xFF);
613 * If it is decrypt, need to make sure size of ciphertext is at least
614 * bigger than MAC len
616 if ((!is_encrypt_init) && (ccm_param->ulDataSize < macSize)) {
617 return (CRYPTO_MECHANISM_PARAM_INVALID);
621 * Check to make sure the length of the payload is within the
622 * range of values allowed by q
625 maxValue = (1ULL << (q * 8)) - 1;
627 maxValue = ULONG_MAX;
630 if (ccm_param->ulDataSize > maxValue) {
631 return (CRYPTO_MECHANISM_PARAM_INVALID);
633 return (CRYPTO_SUCCESS);
637 * Format the first block used in CBC-MAC (B0) and the initial counter
638 * block based on formatting functions and counter generation functions
639 * specified in RFC 3610 and NIST publication 800-38C, appendix A
641 * b0 is the first block used in CBC-MAC
642 * cb0 is the first counter block
644 * It's assumed that the arguments b0 and cb0 are preallocated AES blocks
648 ccm_format_initial_blocks(uchar_t *nonce, ulong_t nonceSize,
649 ulong_t authDataSize, uint8_t *b0, ccm_ctx_t *aes_ctx)
651 uint64_t payloadSize;
652 uint8_t t, q, have_adata = 0;
658 q = (uint8_t)((15 - nonceSize) & 0xFF);
659 t = (uint8_t)((aes_ctx->ccm_mac_len) & 0xFF);
661 /* Construct the first octet of b0 */
662 if (authDataSize > 0) {
665 b0[0] = (have_adata << 6) | (((t - 2) / 2) << 3) | (q - 1);
667 /* copy the nonce value into b0 */
668 bcopy(nonce, &(b0[1]), nonceSize);
670 /* store the length of the payload into b0 */
671 bzero(&(b0[1+nonceSize]), q);
673 payloadSize = aes_ctx->ccm_data_len;
674 limit = 8 < q ? 8 : q;
676 for (i = 0, j = 0, k = 15; i < limit; i++, j += 8, k--) {
677 b0[k] = (uint8_t)((payloadSize >> j) & 0xFF);
680 /* format the counter block */
682 cb = (uint8_t *)aes_ctx->ccm_cb;
684 cb[0] = 0x07 & (q-1); /* first byte */
686 /* copy the nonce value into the counter block */
687 bcopy(nonce, &(cb[1]), nonceSize);
689 bzero(&(cb[1+nonceSize]), q);
691 /* Create the mask for the counter field based on the size of nonce */
697 #ifdef _LITTLE_ENDIAN
700 aes_ctx->ccm_counter_mask = mask;
703 * During calculation, we start using counter block 1, we will
704 * set it up right here.
705 * We can just set the last byte to have the value 1, because
706 * even with the biggest nonce of 13, the last byte of the
707 * counter block will be used for the counter value.
713 * Encode the length of the associated data as
714 * specified in RFC 3610 and NIST publication 800-38C, appendix A
717 encode_adata_len(ulong_t auth_data_len, uint8_t *encoded, size_t *encoded_len)
719 #ifdef UNALIGNED_POINTERS_PERMITTED
720 uint32_t *lencoded_ptr;
722 uint64_t *llencoded_ptr;
724 #endif /* UNALIGNED_POINTERS_PERMITTED */
726 if (auth_data_len < ((1ULL<<16) - (1ULL<<8))) {
727 /* 0 < a < (2^16-2^8) */
729 encoded[0] = (auth_data_len & 0xff00) >> 8;
730 encoded[1] = auth_data_len & 0xff;
732 } else if ((auth_data_len >= ((1ULL<<16) - (1ULL<<8))) &&
733 (auth_data_len < (1ULL << 31))) {
734 /* (2^16-2^8) <= a < 2^32 */
738 #ifdef UNALIGNED_POINTERS_PERMITTED
739 lencoded_ptr = (uint32_t *)&encoded[2];
740 *lencoded_ptr = htonl(auth_data_len);
742 encoded[2] = (auth_data_len & 0xff000000) >> 24;
743 encoded[3] = (auth_data_len & 0xff0000) >> 16;
744 encoded[4] = (auth_data_len & 0xff00) >> 8;
745 encoded[5] = auth_data_len & 0xff;
746 #endif /* UNALIGNED_POINTERS_PERMITTED */
750 /* 2^32 <= a < 2^64 */
754 #ifdef UNALIGNED_POINTERS_PERMITTED
755 llencoded_ptr = (uint64_t *)&encoded[2];
756 *llencoded_ptr = htonl(auth_data_len);
758 encoded[2] = (auth_data_len & 0xff00000000000000) >> 56;
759 encoded[3] = (auth_data_len & 0xff000000000000) >> 48;
760 encoded[4] = (auth_data_len & 0xff0000000000) >> 40;
761 encoded[5] = (auth_data_len & 0xff00000000) >> 32;
762 encoded[6] = (auth_data_len & 0xff000000) >> 24;
763 encoded[7] = (auth_data_len & 0xff0000) >> 16;
764 encoded[8] = (auth_data_len & 0xff00) >> 8;
765 encoded[9] = auth_data_len & 0xff;
766 #endif /* UNALIGNED_POINTERS_PERMITTED */
772 * The following function should be call at encrypt or decrypt init time
776 ccm_init(ccm_ctx_t *ctx, unsigned char *nonce, size_t nonce_len,
777 unsigned char *auth_data, size_t auth_data_len, size_t block_size,
778 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
779 void (*xor_block)(uint8_t *, uint8_t *))
781 uint8_t *mac_buf, *datap, *ivp, *authp;
782 size_t remainder, processed;
783 uint8_t encoded_a[10]; /* max encoded auth data length is 10 octets */
784 size_t encoded_a_len = 0;
786 mac_buf = (uint8_t *)&(ctx->ccm_mac_buf);
789 * Format the 1st block for CBC-MAC and construct the
792 * aes_ctx->ccm_iv is used for storing the counter block
793 * mac_buf will store b0 at this time.
795 ccm_format_initial_blocks(nonce, nonce_len,
796 auth_data_len, mac_buf, ctx);
798 /* The IV for CBC MAC for AES CCM mode is always zero */
799 ivp = (uint8_t *)ctx->ccm_tmp;
800 bzero(ivp, block_size);
802 xor_block(ivp, mac_buf);
804 /* encrypt the nonce */
805 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
807 /* take care of the associated data, if any */
808 if (auth_data_len == 0) {
809 return (CRYPTO_SUCCESS);
812 encode_adata_len(auth_data_len, encoded_a, &encoded_a_len);
814 remainder = auth_data_len;
816 /* 1st block: it contains encoded associated data, and some data */
817 authp = (uint8_t *)ctx->ccm_tmp;
818 bzero(authp, block_size);
819 bcopy(encoded_a, authp, encoded_a_len);
820 processed = block_size - encoded_a_len;
821 if (processed > auth_data_len) {
822 /* in case auth_data is very small */
823 processed = auth_data_len;
825 bcopy(auth_data, authp+encoded_a_len, processed);
826 /* xor with previous buffer */
827 xor_block(authp, mac_buf);
828 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
829 remainder -= processed;
830 if (remainder == 0) {
831 /* a small amount of associated data, it's all done now */
832 return (CRYPTO_SUCCESS);
836 if (remainder < block_size) {
838 * There's not a block full of data, pad rest of
841 bzero(authp, block_size);
842 bcopy(&(auth_data[processed]), authp, remainder);
843 datap = (uint8_t *)authp;
846 datap = (uint8_t *)(&(auth_data[processed]));
847 processed += block_size;
848 remainder -= block_size;
851 xor_block(datap, mac_buf);
852 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
854 } while (remainder > 0);
856 return (CRYPTO_SUCCESS);
860 ccm_init_ctx(ccm_ctx_t *ccm_ctx, char *param, int kmflag,
861 boolean_t is_encrypt_init, size_t block_size,
862 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
863 void (*xor_block)(uint8_t *, uint8_t *))
866 CK_AES_CCM_PARAMS *ccm_param;
869 ccm_param = (CK_AES_CCM_PARAMS *)param;
871 if ((rv = ccm_validate_args(ccm_param,
872 is_encrypt_init)) != 0) {
876 ccm_ctx->ccm_mac_len = ccm_param->ulMACSize;
877 if (is_encrypt_init) {
878 ccm_ctx->ccm_data_len = ccm_param->ulDataSize;
880 ccm_ctx->ccm_data_len =
881 ccm_param->ulDataSize - ccm_ctx->ccm_mac_len;
882 ccm_ctx->ccm_processed_mac_len = 0;
884 ccm_ctx->ccm_processed_data_len = 0;
886 ccm_ctx->ccm_flags |= CCM_MODE;
888 rv = CRYPTO_MECHANISM_PARAM_INVALID;
892 if (ccm_init(ccm_ctx, ccm_param->nonce, ccm_param->ulNonceSize,
893 ccm_param->authData, ccm_param->ulAuthDataSize, block_size,
894 encrypt_block, xor_block) != 0) {
895 rv = CRYPTO_MECHANISM_PARAM_INVALID;
898 if (!is_encrypt_init) {
899 /* allocate buffer for storing decrypted plaintext */
900 ccm_ctx->ccm_pt_buf = vmem_alloc(ccm_ctx->ccm_data_len,
902 if (ccm_ctx->ccm_pt_buf == NULL) {
903 rv = CRYPTO_HOST_MEMORY;
911 ccm_alloc_ctx(int kmflag)
915 if ((ccm_ctx = kmem_zalloc(sizeof (ccm_ctx_t), kmflag)) == NULL)
918 ccm_ctx->ccm_flags = CCM_MODE;