1 // SPDX-License-Identifier: CDDL-1.0
2 /*
3 * CDDL HEADER START
4 *
5 * The contents of this file are subject to the terms of the
6 * Common Development and Distribution License (the "License").
7 * You may not use this file except in compliance with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or https://opensource.org/licenses/CDDL-1.0.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 #include <sys/zfs_context.h>
28 #include <modes/modes.h>
29 #include <sys/crypto/common.h>
30 #include <sys/crypto/impl.h>
31
32 /*
33 * Initialize by setting iov_or_mp to point to the current iovec or mp,
34 * and by setting current_offset to an offset within the current iovec or mp.
35 */
36 void
crypto_init_ptrs(crypto_data_t * out,void ** iov_or_mp,offset_t * current_offset)37 crypto_init_ptrs(crypto_data_t *out, void **iov_or_mp, offset_t *current_offset)
38 {
39 offset_t offset;
40
41 switch (out->cd_format) {
42 case CRYPTO_DATA_RAW:
43 *current_offset = out->cd_offset;
44 break;
45
46 case CRYPTO_DATA_UIO: {
47 zfs_uio_t *uiop = out->cd_uio;
48 uint_t vec_idx;
49
50 offset = out->cd_offset;
51 offset = zfs_uio_index_at_offset(uiop, offset, &vec_idx);
52
53 *current_offset = offset;
54 *iov_or_mp = (void *)(uintptr_t)vec_idx;
55 break;
56 }
57 } /* end switch */
58 }
59
60 /*
61 * Get pointers for where in the output to copy a block of encrypted or
62 * decrypted data. The iov_or_mp argument stores a pointer to the current
63 * iovec or mp, and offset stores an offset into the current iovec or mp.
64 */
65 void
crypto_get_ptrs(crypto_data_t * out,void ** iov_or_mp,offset_t * current_offset,uint8_t ** out_data_1,size_t * out_data_1_len,uint8_t ** out_data_2,size_t amt)66 crypto_get_ptrs(crypto_data_t *out, void **iov_or_mp, offset_t *current_offset,
67 uint8_t **out_data_1, size_t *out_data_1_len, uint8_t **out_data_2,
68 size_t amt)
69 {
70 offset_t offset;
71
72 switch (out->cd_format) {
73 case CRYPTO_DATA_RAW: {
74 iovec_t *iov;
75
76 offset = *current_offset;
77 iov = &out->cd_raw;
78 if ((offset + amt) <= iov->iov_len) {
79 /* one block fits */
80 *out_data_1 = (uint8_t *)iov->iov_base + offset;
81 *out_data_1_len = amt;
82 *out_data_2 = NULL;
83 *current_offset = offset + amt;
84 }
85 break;
86 }
87
88 case CRYPTO_DATA_UIO: {
89 zfs_uio_t *uio = out->cd_uio;
90 offset_t offset;
91 uint_t vec_idx;
92 uint8_t *p;
93 uint64_t iov_len;
94 void *iov_base;
95
96 offset = *current_offset;
97 vec_idx = (uintptr_t)(*iov_or_mp);
98 zfs_uio_iov_at_index(uio, vec_idx, &iov_base, &iov_len);
99 p = (uint8_t *)iov_base + offset;
100 *out_data_1 = p;
101
102 if (offset + amt <= iov_len) {
103 /* can fit one block into this iov */
104 *out_data_1_len = amt;
105 *out_data_2 = NULL;
106 *current_offset = offset + amt;
107 } else {
108 /* one block spans two iovecs */
109 *out_data_1_len = iov_len - offset;
110 if (vec_idx == zfs_uio_iovcnt(uio)) {
111 *out_data_2 = NULL;
112 return;
113 }
114 vec_idx++;
115 zfs_uio_iov_at_index(uio, vec_idx, &iov_base, &iov_len);
116 *out_data_2 = (uint8_t *)iov_base;
117 *current_offset = amt - *out_data_1_len;
118 }
119 *iov_or_mp = (void *)(uintptr_t)vec_idx;
120 break;
121 }
122 } /* end switch */
123 }
124
125 void
crypto_free_mode_ctx(void * ctx)126 crypto_free_mode_ctx(void *ctx)
127 {
128 common_ctx_t *common_ctx = (common_ctx_t *)ctx;
129
130 switch (common_ctx->cc_flags & (CCM_MODE|GCM_MODE)) {
131 case CCM_MODE:
132 if (((ccm_ctx_t *)ctx)->ccm_pt_buf != NULL)
133 vmem_free(((ccm_ctx_t *)ctx)->ccm_pt_buf,
134 ((ccm_ctx_t *)ctx)->ccm_data_len);
135
136 kmem_free(ctx, sizeof (ccm_ctx_t));
137 break;
138
139 case GCM_MODE:
140 gcm_clear_ctx((gcm_ctx_t *)ctx);
141 kmem_free(ctx, sizeof (gcm_ctx_t));
142 break;
143
144 default:
145 __builtin_unreachable();
146 }
147 }
148
149 static void *
explicit_memset(void * s,int c,size_t n)150 explicit_memset(void *s, int c, size_t n)
151 {
152 memset(s, c, n);
153 __asm__ __volatile__("" :: "r"(s) : "memory");
154 return (s);
155 }
156
157 /*
158 * Clear sensitive data in the context and free allocated memory.
159 *
160 * ctx->gcm_remainder may contain a plaintext remainder. ctx->gcm_H and
161 * ctx->gcm_Htable contain the hash sub key which protects authentication.
162 * ctx->gcm_pt_buf contains the plaintext result of decryption.
163 *
164 * Although extremely unlikely, ctx->gcm_J0 and ctx->gcm_tmp could be used for
165 * a known plaintext attack, they consist of the IV and the first and last
166 * counter respectively. If they should be cleared is debatable.
167 */
168 void
gcm_clear_ctx(gcm_ctx_t * ctx)169 gcm_clear_ctx(gcm_ctx_t *ctx)
170 {
171 explicit_memset(ctx->gcm_remainder, 0, sizeof (ctx->gcm_remainder));
172 explicit_memset(ctx->gcm_H, 0, sizeof (ctx->gcm_H));
173 #if defined(CAN_USE_GCM_ASM)
174 if (ctx->gcm_use_avx == B_TRUE) {
175 ASSERT3P(ctx->gcm_Htable, !=, NULL);
176 memset(ctx->gcm_Htable, 0, ctx->gcm_htab_len);
177 kmem_free(ctx->gcm_Htable, ctx->gcm_htab_len);
178 }
179 #endif
180 if (ctx->gcm_pt_buf != NULL) {
181 memset(ctx->gcm_pt_buf, 0, ctx->gcm_pt_buf_len);
182 vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len);
183 }
184 /* Optional */
185 explicit_memset(ctx->gcm_J0, 0, sizeof (ctx->gcm_J0));
186 explicit_memset(ctx->gcm_tmp, 0, sizeof (ctx->gcm_tmp));
187 }
188