1eda14cbcSMatt Macy /* 2eda14cbcSMatt Macy * CDDL HEADER START 3eda14cbcSMatt Macy * 4eda14cbcSMatt Macy * The contents of this file are subject to the terms of the 5eda14cbcSMatt Macy * Common Development and Distribution License (the "License"). 6eda14cbcSMatt Macy * You may not use this file except in compliance with the License. 7eda14cbcSMatt Macy * 8eda14cbcSMatt Macy * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9271171e0SMartin Matuska * or https://opensource.org/licenses/CDDL-1.0. 10eda14cbcSMatt Macy * See the License for the specific language governing permissions 11eda14cbcSMatt Macy * and limitations under the License. 12eda14cbcSMatt Macy * 13eda14cbcSMatt Macy * When distributing Covered Code, include this CDDL HEADER in each 14eda14cbcSMatt Macy * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15eda14cbcSMatt Macy * If applicable, add the following below this CDDL HEADER, with the 16eda14cbcSMatt Macy * fields enclosed by brackets "[]" replaced with your own identifying 17eda14cbcSMatt Macy * information: Portions Copyright [yyyy] [name of copyright owner] 18eda14cbcSMatt Macy * 19eda14cbcSMatt Macy * CDDL HEADER END 20eda14cbcSMatt Macy */ 21eda14cbcSMatt Macy /* 22eda14cbcSMatt Macy * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23eda14cbcSMatt Macy * Use is subject to license terms. 24eda14cbcSMatt Macy */ 25eda14cbcSMatt Macy 26eda14cbcSMatt Macy #ifndef _COMMON_CRYPTO_MODES_H 27eda14cbcSMatt Macy #define _COMMON_CRYPTO_MODES_H 28eda14cbcSMatt Macy 29eda14cbcSMatt Macy #ifdef __cplusplus 30eda14cbcSMatt Macy extern "C" { 31eda14cbcSMatt Macy #endif 32eda14cbcSMatt Macy 33eda14cbcSMatt Macy #include <sys/zfs_context.h> 34eda14cbcSMatt Macy #include <sys/crypto/common.h> 35eda14cbcSMatt Macy #include <sys/crypto/impl.h> 36eda14cbcSMatt Macy 37eda14cbcSMatt Macy /* 38eda14cbcSMatt Macy * Does the build chain support all instructions needed for the GCM assembler 39eda14cbcSMatt Macy * routines. AVX support should imply AES-NI and PCLMULQDQ, but make sure 40eda14cbcSMatt Macy * anyhow. 41eda14cbcSMatt Macy */ 42eda14cbcSMatt Macy #if defined(__x86_64__) && defined(HAVE_AVX) && \ 43eda14cbcSMatt Macy defined(HAVE_AES) && defined(HAVE_PCLMULQDQ) 44eda14cbcSMatt Macy #define CAN_USE_GCM_ASM 45eda14cbcSMatt Macy extern boolean_t gcm_avx_can_use_movbe; 46eda14cbcSMatt Macy #endif 47eda14cbcSMatt Macy 48eda14cbcSMatt Macy #define CCM_MODE 0x00000010 49eda14cbcSMatt Macy #define GCM_MODE 0x00000020 50eda14cbcSMatt Macy 51eda14cbcSMatt Macy /* 52eda14cbcSMatt Macy * cc_keysched: Pointer to key schedule. 53eda14cbcSMatt Macy * 54eda14cbcSMatt Macy * cc_keysched_len: Length of the key schedule. 55eda14cbcSMatt Macy * 56eda14cbcSMatt Macy * cc_remainder: This is for residual data, i.e. data that can't 57eda14cbcSMatt Macy * be processed because there are too few bytes. 58eda14cbcSMatt Macy * Must wait until more data arrives. 59eda14cbcSMatt Macy * 60eda14cbcSMatt Macy * cc_remainder_len: Number of bytes in cc_remainder. 61eda14cbcSMatt Macy * 62eda14cbcSMatt Macy * cc_iv: Scratch buffer that sometimes contains the IV. 63eda14cbcSMatt Macy * 64eda14cbcSMatt Macy * cc_lastp: Pointer to previous block of ciphertext. 65eda14cbcSMatt Macy * 66eda14cbcSMatt Macy * cc_copy_to: Pointer to where encrypted residual data needs 67eda14cbcSMatt Macy * to be copied. 68eda14cbcSMatt Macy * 69eda14cbcSMatt Macy * cc_flags: PROVIDER_OWNS_KEY_SCHEDULE 70eda14cbcSMatt Macy * When a context is freed, it is necessary 71eda14cbcSMatt Macy * to know whether the key schedule was allocated 72eda14cbcSMatt Macy * by the caller, or internally, e.g. an init routine. 73eda14cbcSMatt Macy * If allocated by the latter, then it needs to be freed. 74eda14cbcSMatt Macy * 75*75e1fea6SMartin Matuska * CCM_MODE 76eda14cbcSMatt Macy */ 77eda14cbcSMatt Macy struct common_ctx { 78eda14cbcSMatt Macy void *cc_keysched; 79eda14cbcSMatt Macy size_t cc_keysched_len; 80eda14cbcSMatt Macy uint64_t cc_iv[2]; 81eda14cbcSMatt Macy uint64_t cc_remainder[2]; 82eda14cbcSMatt Macy size_t cc_remainder_len; 83eda14cbcSMatt Macy uint8_t *cc_lastp; 84eda14cbcSMatt Macy uint8_t *cc_copy_to; 85eda14cbcSMatt Macy uint32_t cc_flags; 86eda14cbcSMatt Macy }; 87eda14cbcSMatt Macy 88eda14cbcSMatt Macy typedef struct common_ctx common_ctx_t; 89eda14cbcSMatt Macy 90eda14cbcSMatt Macy /* 91eda14cbcSMatt Macy * 92eda14cbcSMatt Macy * ccm_mac_len: Stores length of the MAC in CCM mode. 93eda14cbcSMatt Macy * ccm_mac_buf: Stores the intermediate value for MAC in CCM encrypt. 94eda14cbcSMatt Macy * In CCM decrypt, stores the input MAC value. 95eda14cbcSMatt Macy * ccm_data_len: Length of the plaintext for CCM mode encrypt, or 96eda14cbcSMatt Macy * length of the ciphertext for CCM mode decrypt. 97eda14cbcSMatt Macy * ccm_processed_data_len: 98eda14cbcSMatt Macy * Length of processed plaintext in CCM mode encrypt, 99eda14cbcSMatt Macy * or length of processed ciphertext for CCM mode decrypt. 100eda14cbcSMatt Macy * ccm_processed_mac_len: 101eda14cbcSMatt Macy * Length of MAC data accumulated in CCM mode decrypt. 102eda14cbcSMatt Macy * 103eda14cbcSMatt Macy * ccm_pt_buf: Only used in CCM mode decrypt. It stores the 104eda14cbcSMatt Macy * decrypted plaintext to be returned when 105eda14cbcSMatt Macy * MAC verification succeeds in decrypt_final. 106eda14cbcSMatt Macy * Memory for this should be allocated in the AES module. 107eda14cbcSMatt Macy * 108eda14cbcSMatt Macy */ 109eda14cbcSMatt Macy typedef struct ccm_ctx { 110eda14cbcSMatt Macy struct common_ctx ccm_common; 111eda14cbcSMatt Macy uint32_t ccm_tmp[4]; 112eda14cbcSMatt Macy size_t ccm_mac_len; 113eda14cbcSMatt Macy uint64_t ccm_mac_buf[2]; 114eda14cbcSMatt Macy size_t ccm_data_len; 115eda14cbcSMatt Macy size_t ccm_processed_data_len; 116eda14cbcSMatt Macy size_t ccm_processed_mac_len; 117eda14cbcSMatt Macy uint8_t *ccm_pt_buf; 118eda14cbcSMatt Macy uint64_t ccm_mac_input_buf[2]; 119eda14cbcSMatt Macy uint64_t ccm_counter_mask; 120eda14cbcSMatt Macy } ccm_ctx_t; 121eda14cbcSMatt Macy 122eda14cbcSMatt Macy #define ccm_keysched ccm_common.cc_keysched 123eda14cbcSMatt Macy #define ccm_keysched_len ccm_common.cc_keysched_len 124eda14cbcSMatt Macy #define ccm_cb ccm_common.cc_iv 125eda14cbcSMatt Macy #define ccm_remainder ccm_common.cc_remainder 126eda14cbcSMatt Macy #define ccm_remainder_len ccm_common.cc_remainder_len 127eda14cbcSMatt Macy #define ccm_lastp ccm_common.cc_lastp 128eda14cbcSMatt Macy #define ccm_copy_to ccm_common.cc_copy_to 129eda14cbcSMatt Macy #define ccm_flags ccm_common.cc_flags 130eda14cbcSMatt Macy 131eda14cbcSMatt Macy /* 132eda14cbcSMatt Macy * gcm_tag_len: Length of authentication tag. 133eda14cbcSMatt Macy * 134eda14cbcSMatt Macy * gcm_ghash: Stores output from the GHASH function. 135eda14cbcSMatt Macy * 136eda14cbcSMatt Macy * gcm_processed_data_len: 137eda14cbcSMatt Macy * Length of processed plaintext (encrypt) or 138eda14cbcSMatt Macy * length of processed ciphertext (decrypt). 139eda14cbcSMatt Macy * 140eda14cbcSMatt Macy * gcm_pt_buf: Stores the decrypted plaintext returned by 141eda14cbcSMatt Macy * decrypt_final when the computed authentication 142eda14cbcSMatt Macy * tag matches the user supplied tag. 143eda14cbcSMatt Macy * 144eda14cbcSMatt Macy * gcm_pt_buf_len: Length of the plaintext buffer. 145eda14cbcSMatt Macy * 146eda14cbcSMatt Macy * gcm_H: Subkey. 147eda14cbcSMatt Macy * 148eda14cbcSMatt Macy * gcm_Htable: Pre-computed and pre-shifted H, H^2, ... H^6 for the 149eda14cbcSMatt Macy * Karatsuba Algorithm in host byte order. 150eda14cbcSMatt Macy * 151eda14cbcSMatt Macy * gcm_J0: Pre-counter block generated from the IV. 152eda14cbcSMatt Macy * 153eda14cbcSMatt Macy * gcm_len_a_len_c: 64-bit representations of the bit lengths of 154eda14cbcSMatt Macy * AAD and ciphertext. 155eda14cbcSMatt Macy */ 156eda14cbcSMatt Macy typedef struct gcm_ctx { 157eda14cbcSMatt Macy struct common_ctx gcm_common; 158eda14cbcSMatt Macy size_t gcm_tag_len; 159eda14cbcSMatt Macy size_t gcm_processed_data_len; 160eda14cbcSMatt Macy size_t gcm_pt_buf_len; 161eda14cbcSMatt Macy uint32_t gcm_tmp[4]; 162eda14cbcSMatt Macy /* 1637877fdebSMatt Macy * The offset of gcm_Htable relative to gcm_ghash, (32), is hard coded 1647877fdebSMatt Macy * in aesni-gcm-x86_64.S, so please don't change (or adjust there). 165eda14cbcSMatt Macy */ 166eda14cbcSMatt Macy uint64_t gcm_ghash[2]; 167eda14cbcSMatt Macy uint64_t gcm_H[2]; 168eda14cbcSMatt Macy #ifdef CAN_USE_GCM_ASM 1697877fdebSMatt Macy uint64_t *gcm_Htable; 1707877fdebSMatt Macy size_t gcm_htab_len; 171eda14cbcSMatt Macy #endif 172eda14cbcSMatt Macy uint64_t gcm_J0[2]; 173eda14cbcSMatt Macy uint64_t gcm_len_a_len_c[2]; 174eda14cbcSMatt Macy uint8_t *gcm_pt_buf; 175eda14cbcSMatt Macy #ifdef CAN_USE_GCM_ASM 176eda14cbcSMatt Macy boolean_t gcm_use_avx; 177eda14cbcSMatt Macy #endif 178eda14cbcSMatt Macy } gcm_ctx_t; 179eda14cbcSMatt Macy 180eda14cbcSMatt Macy #define gcm_keysched gcm_common.cc_keysched 181eda14cbcSMatt Macy #define gcm_keysched_len gcm_common.cc_keysched_len 182eda14cbcSMatt Macy #define gcm_cb gcm_common.cc_iv 183eda14cbcSMatt Macy #define gcm_remainder gcm_common.cc_remainder 184eda14cbcSMatt Macy #define gcm_remainder_len gcm_common.cc_remainder_len 185eda14cbcSMatt Macy #define gcm_lastp gcm_common.cc_lastp 186eda14cbcSMatt Macy #define gcm_copy_to gcm_common.cc_copy_to 187eda14cbcSMatt Macy #define gcm_flags gcm_common.cc_flags 188eda14cbcSMatt Macy 1892a58b312SMartin Matuska void gcm_clear_ctx(gcm_ctx_t *ctx); 1902a58b312SMartin Matuska 191eda14cbcSMatt Macy typedef struct aes_ctx { 192eda14cbcSMatt Macy union { 193eda14cbcSMatt Macy ccm_ctx_t acu_ccm; 194eda14cbcSMatt Macy gcm_ctx_t acu_gcm; 195eda14cbcSMatt Macy } acu; 196eda14cbcSMatt Macy } aes_ctx_t; 197eda14cbcSMatt Macy 198*75e1fea6SMartin Matuska #define ac_flags acu.acu_ccm.ccm_common.cc_flags 199*75e1fea6SMartin Matuska #define ac_remainder_len acu.acu_ccm.ccm_common.cc_remainder_len 200*75e1fea6SMartin Matuska #define ac_keysched acu.acu_ccm.ccm_common.cc_keysched 201*75e1fea6SMartin Matuska #define ac_keysched_len acu.acu_ccm.ccm_common.cc_keysched_len 202*75e1fea6SMartin Matuska #define ac_iv acu.acu_ccm.ccm_common.cc_iv 203*75e1fea6SMartin Matuska #define ac_lastp acu.acu_ccm.ccm_common.cc_lastp 204eda14cbcSMatt Macy #define ac_pt_buf acu.acu_ccm.ccm_pt_buf 205eda14cbcSMatt Macy #define ac_mac_len acu.acu_ccm.ccm_mac_len 206eda14cbcSMatt Macy #define ac_data_len acu.acu_ccm.ccm_data_len 207eda14cbcSMatt Macy #define ac_processed_mac_len acu.acu_ccm.ccm_processed_mac_len 208eda14cbcSMatt Macy #define ac_processed_data_len acu.acu_ccm.ccm_processed_data_len 209eda14cbcSMatt Macy #define ac_tag_len acu.acu_gcm.gcm_tag_len 210eda14cbcSMatt Macy 211eda14cbcSMatt Macy extern int ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t, 212eda14cbcSMatt Macy crypto_data_t *, size_t, 213eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 214eda14cbcSMatt Macy void (*copy_block)(uint8_t *, uint8_t *), 215eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 216eda14cbcSMatt Macy 217eda14cbcSMatt Macy extern int ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t, 218eda14cbcSMatt Macy crypto_data_t *, size_t, 219eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 220eda14cbcSMatt Macy void (*copy_block)(uint8_t *, uint8_t *), 221eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 222eda14cbcSMatt Macy 223eda14cbcSMatt Macy extern int gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t, 224eda14cbcSMatt Macy crypto_data_t *, size_t, 225eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 226eda14cbcSMatt Macy void (*copy_block)(uint8_t *, uint8_t *), 227eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 228eda14cbcSMatt Macy 229eda14cbcSMatt Macy extern int gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t, 230eda14cbcSMatt Macy crypto_data_t *, size_t, 231eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 232eda14cbcSMatt Macy void (*copy_block)(uint8_t *, uint8_t *), 233eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 234eda14cbcSMatt Macy 235eda14cbcSMatt Macy int ccm_encrypt_final(ccm_ctx_t *, crypto_data_t *, size_t, 236eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 237eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 238eda14cbcSMatt Macy 239eda14cbcSMatt Macy int gcm_encrypt_final(gcm_ctx_t *, crypto_data_t *, size_t, 240eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 241eda14cbcSMatt Macy void (*copy_block)(uint8_t *, uint8_t *), 242eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 243eda14cbcSMatt Macy 244eda14cbcSMatt Macy extern int ccm_decrypt_final(ccm_ctx_t *, crypto_data_t *, size_t, 245eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 246eda14cbcSMatt Macy void (*copy_block)(uint8_t *, uint8_t *), 247eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 248eda14cbcSMatt Macy 249eda14cbcSMatt Macy extern int gcm_decrypt_final(gcm_ctx_t *, crypto_data_t *, size_t, 250eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 251eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 252eda14cbcSMatt Macy 253eda14cbcSMatt Macy extern int ccm_init_ctx(ccm_ctx_t *, char *, int, boolean_t, size_t, 254eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 255eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 256eda14cbcSMatt Macy 257eda14cbcSMatt Macy extern int gcm_init_ctx(gcm_ctx_t *, char *, size_t, 258eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 259eda14cbcSMatt Macy void (*copy_block)(uint8_t *, uint8_t *), 260eda14cbcSMatt Macy void (*xor_block)(uint8_t *, uint8_t *)); 261eda14cbcSMatt Macy 262eda14cbcSMatt Macy extern void calculate_ccm_mac(ccm_ctx_t *, uint8_t *, 263eda14cbcSMatt Macy int (*encrypt_block)(const void *, const uint8_t *, uint8_t *)); 264eda14cbcSMatt Macy 265eda14cbcSMatt Macy extern void gcm_mul(uint64_t *, uint64_t *, uint64_t *); 266eda14cbcSMatt Macy 267eda14cbcSMatt Macy extern void crypto_init_ptrs(crypto_data_t *, void **, offset_t *); 268eda14cbcSMatt Macy extern void crypto_get_ptrs(crypto_data_t *, void **, offset_t *, 269eda14cbcSMatt Macy uint8_t **, size_t *, uint8_t **, size_t); 270eda14cbcSMatt Macy 271eda14cbcSMatt Macy extern void *ccm_alloc_ctx(int); 272eda14cbcSMatt Macy extern void *gcm_alloc_ctx(int); 273eda14cbcSMatt Macy extern void crypto_free_mode_ctx(void *); 274eda14cbcSMatt Macy 275eda14cbcSMatt Macy #ifdef __cplusplus 276eda14cbcSMatt Macy } 277eda14cbcSMatt Macy #endif 278eda14cbcSMatt Macy 279eda14cbcSMatt Macy #endif /* _COMMON_CRYPTO_MODES_H */ 280