1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25
26#ifndef	_COMMON_CRYPTO_MODES_H
27#define	_COMMON_CRYPTO_MODES_H
28
29#ifdef	__cplusplus
30extern "C" {
31#endif
32
33#include <sys/zfs_context.h>
34#include <sys/crypto/common.h>
35#include <sys/crypto/impl.h>
36
37/*
38 * Does the build chain support all instructions needed for the GCM assembler
39 * routines. AVX support should imply AES-NI and PCLMULQDQ, but make sure
40 * anyhow.
41 */
42#if defined(__x86_64__) && defined(HAVE_AVX) && \
43    defined(HAVE_AES) && defined(HAVE_PCLMULQDQ)
44#define	CAN_USE_GCM_ASM
45extern boolean_t gcm_avx_can_use_movbe;
46#endif
47
48#define	ECB_MODE			0x00000002
49#define	CBC_MODE			0x00000004
50#define	CTR_MODE			0x00000008
51#define	CCM_MODE			0x00000010
52#define	GCM_MODE			0x00000020
53#define	GMAC_MODE			0x00000040
54
55/*
56 * cc_keysched:		Pointer to key schedule.
57 *
58 * cc_keysched_len:	Length of the key schedule.
59 *
60 * cc_remainder:	This is for residual data, i.e. data that can't
61 *			be processed because there are too few bytes.
62 *			Must wait until more data arrives.
63 *
64 * cc_remainder_len:	Number of bytes in cc_remainder.
65 *
66 * cc_iv:		Scratch buffer that sometimes contains the IV.
67 *
68 * cc_lastp:		Pointer to previous block of ciphertext.
69 *
70 * cc_copy_to:		Pointer to where encrypted residual data needs
71 *			to be copied.
72 *
73 * cc_flags:		PROVIDER_OWNS_KEY_SCHEDULE
74 *			When a context is freed, it is necessary
75 *			to know whether the key schedule was allocated
76 *			by the caller, or internally, e.g. an init routine.
77 *			If allocated by the latter, then it needs to be freed.
78 *
79 *			ECB_MODE, CBC_MODE, CTR_MODE, or CCM_MODE
80 */
81struct common_ctx {
82	void *cc_keysched;
83	size_t cc_keysched_len;
84	uint64_t cc_iv[2];
85	uint64_t cc_remainder[2];
86	size_t cc_remainder_len;
87	uint8_t *cc_lastp;
88	uint8_t *cc_copy_to;
89	uint32_t cc_flags;
90};
91
92typedef struct common_ctx common_ctx_t;
93
94typedef struct ecb_ctx {
95	struct common_ctx ecb_common;
96	uint64_t ecb_lastblock[2];
97} ecb_ctx_t;
98
99#define	ecb_keysched		ecb_common.cc_keysched
100#define	ecb_keysched_len	ecb_common.cc_keysched_len
101#define	ecb_iv			ecb_common.cc_iv
102#define	ecb_remainder		ecb_common.cc_remainder
103#define	ecb_remainder_len	ecb_common.cc_remainder_len
104#define	ecb_lastp		ecb_common.cc_lastp
105#define	ecb_copy_to		ecb_common.cc_copy_to
106#define	ecb_flags		ecb_common.cc_flags
107
108typedef struct cbc_ctx {
109	struct common_ctx cbc_common;
110	uint64_t cbc_lastblock[2];
111} cbc_ctx_t;
112
113#define	cbc_keysched		cbc_common.cc_keysched
114#define	cbc_keysched_len	cbc_common.cc_keysched_len
115#define	cbc_iv			cbc_common.cc_iv
116#define	cbc_remainder		cbc_common.cc_remainder
117#define	cbc_remainder_len	cbc_common.cc_remainder_len
118#define	cbc_lastp		cbc_common.cc_lastp
119#define	cbc_copy_to		cbc_common.cc_copy_to
120#define	cbc_flags		cbc_common.cc_flags
121
122/*
123 * ctr_lower_mask		Bit-mask for lower 8 bytes of counter block.
124 * ctr_upper_mask		Bit-mask for upper 8 bytes of counter block.
125 */
126typedef struct ctr_ctx {
127	struct common_ctx ctr_common;
128	uint64_t ctr_lower_mask;
129	uint64_t ctr_upper_mask;
130	uint32_t ctr_tmp[4];
131} ctr_ctx_t;
132
133/*
134 * ctr_cb			Counter block.
135 */
136#define	ctr_keysched		ctr_common.cc_keysched
137#define	ctr_keysched_len	ctr_common.cc_keysched_len
138#define	ctr_cb			ctr_common.cc_iv
139#define	ctr_remainder		ctr_common.cc_remainder
140#define	ctr_remainder_len	ctr_common.cc_remainder_len
141#define	ctr_lastp		ctr_common.cc_lastp
142#define	ctr_copy_to		ctr_common.cc_copy_to
143#define	ctr_flags		ctr_common.cc_flags
144
145/*
146 *
147 * ccm_mac_len:		Stores length of the MAC in CCM mode.
148 * ccm_mac_buf:		Stores the intermediate value for MAC in CCM encrypt.
149 *			In CCM decrypt, stores the input MAC value.
150 * ccm_data_len:	Length of the plaintext for CCM mode encrypt, or
151 *			length of the ciphertext for CCM mode decrypt.
152 * ccm_processed_data_len:
153 *			Length of processed plaintext in CCM mode encrypt,
154 *			or length of processed ciphertext for CCM mode decrypt.
155 * ccm_processed_mac_len:
156 *			Length of MAC data accumulated in CCM mode decrypt.
157 *
158 * ccm_pt_buf:		Only used in CCM mode decrypt.  It stores the
159 *			decrypted plaintext to be returned when
160 *			MAC verification succeeds in decrypt_final.
161 *			Memory for this should be allocated in the AES module.
162 *
163 */
164typedef struct ccm_ctx {
165	struct common_ctx ccm_common;
166	uint32_t ccm_tmp[4];
167	size_t ccm_mac_len;
168	uint64_t ccm_mac_buf[2];
169	size_t ccm_data_len;
170	size_t ccm_processed_data_len;
171	size_t ccm_processed_mac_len;
172	uint8_t *ccm_pt_buf;
173	uint64_t ccm_mac_input_buf[2];
174	uint64_t ccm_counter_mask;
175} ccm_ctx_t;
176
177#define	ccm_keysched		ccm_common.cc_keysched
178#define	ccm_keysched_len	ccm_common.cc_keysched_len
179#define	ccm_cb			ccm_common.cc_iv
180#define	ccm_remainder		ccm_common.cc_remainder
181#define	ccm_remainder_len	ccm_common.cc_remainder_len
182#define	ccm_lastp		ccm_common.cc_lastp
183#define	ccm_copy_to		ccm_common.cc_copy_to
184#define	ccm_flags		ccm_common.cc_flags
185
186/*
187 * gcm_tag_len:		Length of authentication tag.
188 *
189 * gcm_ghash:		Stores output from the GHASH function.
190 *
191 * gcm_processed_data_len:
192 *			Length of processed plaintext (encrypt) or
193 *			length of processed ciphertext (decrypt).
194 *
195 * gcm_pt_buf:		Stores the decrypted plaintext returned by
196 *			decrypt_final when the computed authentication
197 *			tag matches the	user supplied tag.
198 *
199 * gcm_pt_buf_len:	Length of the plaintext buffer.
200 *
201 * gcm_H:		Subkey.
202 *
203 * gcm_Htable:		Pre-computed and pre-shifted H, H^2, ... H^6 for the
204 *			Karatsuba Algorithm in host byte order.
205 *
206 * gcm_J0:		Pre-counter block generated from the IV.
207 *
208 * gcm_len_a_len_c:	64-bit representations of the bit lengths of
209 *			AAD and ciphertext.
210 *
211 * gcm_kmflag:		Current value of kmflag. Used for allocating
212 *			the plaintext buffer during decryption and a
213 *			gcm_avx_chunk_size'd buffer for avx enabled encryption.
214 */
215typedef struct gcm_ctx {
216	struct common_ctx gcm_common;
217	size_t gcm_tag_len;
218	size_t gcm_processed_data_len;
219	size_t gcm_pt_buf_len;
220	uint32_t gcm_tmp[4];
221	/*
222	 * The offset of gcm_Htable relative to gcm_ghash, (32), is hard coded
223	 * in aesni-gcm-x86_64.S, so please don't change (or adjust there).
224	 */
225	uint64_t gcm_ghash[2];
226	uint64_t gcm_H[2];
227#ifdef CAN_USE_GCM_ASM
228	uint64_t *gcm_Htable;
229	size_t gcm_htab_len;
230#endif
231	uint64_t gcm_J0[2];
232	uint64_t gcm_len_a_len_c[2];
233	uint8_t *gcm_pt_buf;
234	int gcm_kmflag;
235#ifdef CAN_USE_GCM_ASM
236	boolean_t gcm_use_avx;
237#endif
238} gcm_ctx_t;
239
240#define	gcm_keysched		gcm_common.cc_keysched
241#define	gcm_keysched_len	gcm_common.cc_keysched_len
242#define	gcm_cb			gcm_common.cc_iv
243#define	gcm_remainder		gcm_common.cc_remainder
244#define	gcm_remainder_len	gcm_common.cc_remainder_len
245#define	gcm_lastp		gcm_common.cc_lastp
246#define	gcm_copy_to		gcm_common.cc_copy_to
247#define	gcm_flags		gcm_common.cc_flags
248
249#define	AES_GMAC_IV_LEN		12
250#define	AES_GMAC_TAG_BITS	128
251
252typedef struct aes_ctx {
253	union {
254		ecb_ctx_t acu_ecb;
255		cbc_ctx_t acu_cbc;
256		ctr_ctx_t acu_ctr;
257		ccm_ctx_t acu_ccm;
258		gcm_ctx_t acu_gcm;
259	} acu;
260} aes_ctx_t;
261
262#define	ac_flags		acu.acu_ecb.ecb_common.cc_flags
263#define	ac_remainder_len	acu.acu_ecb.ecb_common.cc_remainder_len
264#define	ac_keysched		acu.acu_ecb.ecb_common.cc_keysched
265#define	ac_keysched_len		acu.acu_ecb.ecb_common.cc_keysched_len
266#define	ac_iv			acu.acu_ecb.ecb_common.cc_iv
267#define	ac_lastp		acu.acu_ecb.ecb_common.cc_lastp
268#define	ac_pt_buf		acu.acu_ccm.ccm_pt_buf
269#define	ac_mac_len		acu.acu_ccm.ccm_mac_len
270#define	ac_data_len		acu.acu_ccm.ccm_data_len
271#define	ac_processed_mac_len	acu.acu_ccm.ccm_processed_mac_len
272#define	ac_processed_data_len	acu.acu_ccm.ccm_processed_data_len
273#define	ac_tag_len		acu.acu_gcm.gcm_tag_len
274
275typedef struct blowfish_ctx {
276	union {
277		ecb_ctx_t bcu_ecb;
278		cbc_ctx_t bcu_cbc;
279	} bcu;
280} blowfish_ctx_t;
281
282#define	bc_flags		bcu.bcu_ecb.ecb_common.cc_flags
283#define	bc_remainder_len	bcu.bcu_ecb.ecb_common.cc_remainder_len
284#define	bc_keysched		bcu.bcu_ecb.ecb_common.cc_keysched
285#define	bc_keysched_len		bcu.bcu_ecb.ecb_common.cc_keysched_len
286#define	bc_iv			bcu.bcu_ecb.ecb_common.cc_iv
287#define	bc_lastp		bcu.bcu_ecb.ecb_common.cc_lastp
288
289typedef struct des_ctx {
290	union {
291		ecb_ctx_t dcu_ecb;
292		cbc_ctx_t dcu_cbc;
293	} dcu;
294} des_ctx_t;
295
296#define	dc_flags		dcu.dcu_ecb.ecb_common.cc_flags
297#define	dc_remainder_len	dcu.dcu_ecb.ecb_common.cc_remainder_len
298#define	dc_keysched		dcu.dcu_ecb.ecb_common.cc_keysched
299#define	dc_keysched_len		dcu.dcu_ecb.ecb_common.cc_keysched_len
300#define	dc_iv			dcu.dcu_ecb.ecb_common.cc_iv
301#define	dc_lastp		dcu.dcu_ecb.ecb_common.cc_lastp
302
303extern int ecb_cipher_contiguous_blocks(ecb_ctx_t *, char *, size_t,
304    crypto_data_t *, size_t, int (*cipher)(const void *, const uint8_t *,
305    uint8_t *));
306
307extern int cbc_encrypt_contiguous_blocks(cbc_ctx_t *, char *, size_t,
308    crypto_data_t *, size_t,
309    int (*encrypt)(const void *, const uint8_t *, uint8_t *),
310    void (*copy_block)(uint8_t *, uint8_t *),
311    void (*xor_block)(uint8_t *, uint8_t *));
312
313extern int cbc_decrypt_contiguous_blocks(cbc_ctx_t *, char *, size_t,
314    crypto_data_t *, size_t,
315    int (*decrypt)(const void *, const uint8_t *, uint8_t *),
316    void (*copy_block)(uint8_t *, uint8_t *),
317    void (*xor_block)(uint8_t *, uint8_t *));
318
319extern int ctr_mode_contiguous_blocks(ctr_ctx_t *, char *, size_t,
320    crypto_data_t *, size_t,
321    int (*cipher)(const void *, const uint8_t *, uint8_t *),
322    void (*xor_block)(uint8_t *, uint8_t *));
323
324extern int ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t,
325    crypto_data_t *, size_t,
326    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
327    void (*copy_block)(uint8_t *, uint8_t *),
328    void (*xor_block)(uint8_t *, uint8_t *));
329
330extern int ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *, char *, size_t,
331    crypto_data_t *, size_t,
332    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
333    void (*copy_block)(uint8_t *, uint8_t *),
334    void (*xor_block)(uint8_t *, uint8_t *));
335
336extern int gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t,
337    crypto_data_t *, size_t,
338    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
339    void (*copy_block)(uint8_t *, uint8_t *),
340    void (*xor_block)(uint8_t *, uint8_t *));
341
342extern int gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *, char *, size_t,
343    crypto_data_t *, size_t,
344    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
345    void (*copy_block)(uint8_t *, uint8_t *),
346    void (*xor_block)(uint8_t *, uint8_t *));
347
348int ccm_encrypt_final(ccm_ctx_t *, crypto_data_t *, size_t,
349    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
350    void (*xor_block)(uint8_t *, uint8_t *));
351
352int gcm_encrypt_final(gcm_ctx_t *, crypto_data_t *, size_t,
353    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
354    void (*copy_block)(uint8_t *, uint8_t *),
355    void (*xor_block)(uint8_t *, uint8_t *));
356
357extern int ccm_decrypt_final(ccm_ctx_t *, crypto_data_t *, size_t,
358    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
359    void (*copy_block)(uint8_t *, uint8_t *),
360    void (*xor_block)(uint8_t *, uint8_t *));
361
362extern int gcm_decrypt_final(gcm_ctx_t *, crypto_data_t *, size_t,
363    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
364    void (*xor_block)(uint8_t *, uint8_t *));
365
366extern int ctr_mode_final(ctr_ctx_t *, crypto_data_t *,
367    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *));
368
369extern int cbc_init_ctx(cbc_ctx_t *, char *, size_t, size_t,
370    void (*copy_block)(uint8_t *, uint64_t *));
371
372extern int ctr_init_ctx(ctr_ctx_t *, ulong_t, uint8_t *,
373    void (*copy_block)(uint8_t *, uint8_t *));
374
375extern int ccm_init_ctx(ccm_ctx_t *, char *, int, boolean_t, size_t,
376    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
377    void (*xor_block)(uint8_t *, uint8_t *));
378
379extern int gcm_init_ctx(gcm_ctx_t *, char *, size_t,
380    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
381    void (*copy_block)(uint8_t *, uint8_t *),
382    void (*xor_block)(uint8_t *, uint8_t *));
383
384extern int gmac_init_ctx(gcm_ctx_t *, char *, size_t,
385    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
386    void (*copy_block)(uint8_t *, uint8_t *),
387    void (*xor_block)(uint8_t *, uint8_t *));
388
389extern void calculate_ccm_mac(ccm_ctx_t *, uint8_t *,
390    int (*encrypt_block)(const void *, const uint8_t *, uint8_t *));
391
392extern void gcm_mul(uint64_t *, uint64_t *, uint64_t *);
393
394extern void crypto_init_ptrs(crypto_data_t *, void **, offset_t *);
395extern void crypto_get_ptrs(crypto_data_t *, void **, offset_t *,
396    uint8_t **, size_t *, uint8_t **, size_t);
397
398extern void *ecb_alloc_ctx(int);
399extern void *cbc_alloc_ctx(int);
400extern void *ctr_alloc_ctx(int);
401extern void *ccm_alloc_ctx(int);
402extern void *gcm_alloc_ctx(int);
403extern void *gmac_alloc_ctx(int);
404extern void crypto_free_mode_ctx(void *);
405extern void gcm_set_kmflag(gcm_ctx_t *, int);
406
407#ifdef	__cplusplus
408}
409#endif
410
411#endif	/* _COMMON_CRYPTO_MODES_H */
412