1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2018, Joyent, Inc.
24 * Copyright 2023-2026 RackTop Systems, Inc.
25 */
26
27 /*
28 * This file implements GCM and GMAC, as decribed in
29 * NIST Special Publication 800-38D
30 * Recommendation for Block Cipher Modes of Operation:
31 * Galois/Counter Mode (GCM) and GMAC
32 *
33 * Briefly, GMAC uses GCM just for "authentication" (sign/verify),
34 * discarding the ouptut data (cipher/clear) that GCM would produce.
35 *
36 * Some functions below serve both GCM and GMAC, adjusting behavior
37 * based on (ctx->gcm_flags & GMAC_MODE) to skip output production
38 * or actions needed only when actually doing encrypt or decrypt.
39 *
40 * Some non-obvious things to note:
41 *
42 * The struct member gcm_len_a_len_c[] is an array of two uint64_t
43 * (AAD length and input data length, in that order, in BITS).
44 * The values are needed in that form for a hash computation that
45 * happens in the "final" function for GCM or GMAC. Just before the
46 * "final" hash computation, the values are converted to big-endian
47 * form as required by the altgorithm specification. Before that
48 * point those values are in host order (always BITS).
49 *
50 * The calling framework (one of uts/common/crypto/io/aes.c
51 * or lib/pkcs11/pkcs11_softtoken/common/softAESCrypt.c)
52 * uses different "alloc", "init", and "final" functions
53 * for GCM vs GMAC. See calls to:
54 * gcm_alloc_ctx, gmac_alloc_ctx,
55 * gcm_init_ctx, gmac_init_ctx,
56 * gcm_encrypt_final, gmac_mode_final
57 * Operation of the GCM vs GMAC varints of those functions are
58 * similar other than encrypt/decrypt in GCM, skipped in GMAC.
59 */
60
61 #ifndef _KERNEL
62 #include <strings.h>
63 #include <limits.h>
64 #include <security/cryptoki.h>
65 #endif /* _KERNEL */
66
67 #include <sys/debug.h>
68 #include <sys/types.h>
69 #include <sys/kmem.h>
70 #include <modes/modes.h>
71 #include <sys/crypto/common.h>
72 #include <sys/crypto/impl.h>
73 #include <sys/byteorder.h>
74
75 #ifdef __amd64
76
77 #ifdef _KERNEL
78 #include <sys/cpuvar.h> /* cpu_t, CPU */
79 #include <sys/x86_archext.h> /* x86_featureset, X86FSET_*, CPUID_* */
80 #include <sys/disp.h> /* kpreempt_disable(), kpreempt_enable */
81 /* Workaround for no XMM kernel thread save/restore */
82 #define KPREEMPT_DISABLE kpreempt_disable()
83 #define KPREEMPT_ENABLE kpreempt_enable()
84
85 #else
86 #include <sys/auxv.h> /* getisax() */
87 #include <sys/auxv_386.h> /* AV_386_PCLMULQDQ bit */
88 #define KPREEMPT_DISABLE
89 #define KPREEMPT_ENABLE
90 #endif /* _KERNEL */
91
92 extern void gcm_mul_pclmulqdq(uint64_t *x_in, uint64_t *y, uint64_t *res);
93 static int intel_pclmulqdq_instruction_present(void);
94 #endif /* __amd64 */
95
96 struct aes_block {
97 uint64_t a;
98 uint64_t b;
99 };
100
101
102 /*
103 * gcm_mul()
104 * Perform a carry-less multiplication (that is, use XOR instead of the
105 * multiply operator) on *x_in and *y and place the result in *res.
106 *
107 * Byte swap the input (*x_in and *y) and the output (*res).
108 *
109 * Note: x_in, y, and res all point to 16-byte numbers (an array of two
110 * 64-bit integers).
111 */
112 void
gcm_mul(uint64_t * x_in,uint64_t * y,uint64_t * res)113 gcm_mul(uint64_t *x_in, uint64_t *y, uint64_t *res)
114 {
115 #ifdef __amd64
116 if (intel_pclmulqdq_instruction_present()) {
117 KPREEMPT_DISABLE;
118 gcm_mul_pclmulqdq(x_in, y, res);
119 KPREEMPT_ENABLE;
120 } else
121 #endif /* __amd64 */
122 {
123 static const uint64_t R = 0xe100000000000000ULL;
124 struct aes_block z = {0, 0};
125 struct aes_block v;
126 uint64_t x;
127 int i, j;
128
129 v.a = ntohll(y[0]);
130 v.b = ntohll(y[1]);
131
132 for (j = 0; j < 2; j++) {
133 x = ntohll(x_in[j]);
134 for (i = 0; i < 64; i++, x <<= 1) {
135 if (x & 0x8000000000000000ULL) {
136 z.a ^= v.a;
137 z.b ^= v.b;
138 }
139 if (v.b & 1ULL) {
140 v.b = (v.a << 63)|(v.b >> 1);
141 v.a = (v.a >> 1) ^ R;
142 } else {
143 v.b = (v.a << 63)|(v.b >> 1);
144 v.a = v.a >> 1;
145 }
146 }
147 }
148 res[0] = htonll(z.a);
149 res[1] = htonll(z.b);
150 }
151 }
152
153
154 #define GHASH(c, d, t) \
155 xor_block((uint8_t *)(d), (uint8_t *)(c)->gcm_ghash); \
156 gcm_mul((uint64_t *)(void *)(c)->gcm_ghash, (c)->gcm_H, \
157 (uint64_t *)(void *)(t));
158
159 /*
160 * helper factored out of gcm_mode_encrypt_contiguous_blocks
161 */
162 static inline void
gcm_encrypt_block(gcm_ctx_t * ctx,uint8_t * datap,crypto_data_t * out,size_t block_size,uint8_t * blockp,void * iov_or_mp,offset_t * offset,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* copy_block)(uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))163 gcm_encrypt_block(gcm_ctx_t *ctx, uint8_t *datap, crypto_data_t *out,
164 size_t block_size, uint8_t *blockp, void *iov_or_mp, offset_t *offset,
165 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
166 void (*copy_block)(uint8_t *, uint8_t *),
167 void (*xor_block)(uint8_t *, uint8_t *))
168 {
169 uint8_t *out_data_1;
170 uint8_t *out_data_2;
171 size_t out_data_1_len;
172 uint64_t counter;
173 uint64_t counter_mask = ntohll(0x00000000ffffffffULL);
174
175 /*
176 * Increment counter. Counter bits are confined
177 * to the bottom 32 bits of the counter block.
178 */
179 counter = ntohll(ctx->gcm_cb[1] & counter_mask);
180 counter = htonll(counter + 1);
181 counter &= counter_mask;
182 ctx->gcm_cb[1] = (ctx->gcm_cb[1] & ~counter_mask) | counter;
183
184 encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_cb,
185 (uint8_t *)ctx->gcm_tmp);
186 xor_block(blockp, (uint8_t *)ctx->gcm_tmp);
187
188 if (out == NULL) {
189 if (ctx->gcm_remainder_len > 0) {
190 bcopy(blockp, ctx->gcm_copy_to,
191 ctx->gcm_remainder_len);
192 bcopy(blockp + ctx->gcm_remainder_len, datap,
193 block_size - ctx->gcm_remainder_len);
194 }
195 } else {
196 uint8_t *tmpp = (uint8_t *)ctx->gcm_tmp;
197 crypto_get_ptrs(out, iov_or_mp, offset, &out_data_1,
198 &out_data_1_len, &out_data_2, block_size);
199
200 /* copy block to where it belongs */
201 if (out_data_1_len == block_size) {
202 copy_block(tmpp, out_data_1);
203 } else {
204 bcopy(tmpp, out_data_1, out_data_1_len);
205 if (out_data_2 != NULL) {
206 bcopy(tmpp + out_data_1_len,
207 out_data_2,
208 block_size - out_data_1_len);
209 }
210 }
211 /* update offset */
212 out->cd_offset += block_size;
213 }
214 }
215
216 /*
217 * Encrypt multiple blocks of data in GCM mode. Decrypt for GCM mode
218 * is done in another function: gcm_mode_decrypt_contiguous_blocks().
219 *
220 * When doing GCM, gcm_processed_data_len is advanced (which is the
221 * encrypted/decrypted data bytes, excluding AAD). When this is doing
222 * GMAC (serving C_Sign) it advances the "input" pointers instead:
223 * gcm_len_a_len_c[0] is the ADD input length, and
224 * gcm_len_a_len_c[1] is the data input length.
225 * (Details at the top of this file).
226 */
227 int
gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t * ctx,char * data,size_t length,crypto_data_t * out,size_t block_size,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* copy_block)(uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))228 gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length,
229 crypto_data_t *out, size_t block_size,
230 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
231 void (*copy_block)(uint8_t *, uint8_t *),
232 void (*xor_block)(uint8_t *, uint8_t *))
233 {
234 size_t remainder = length;
235 size_t need;
236 uint8_t *datap = (uint8_t *)data;
237 uint8_t *blockp;
238 void *iov_or_mp;
239 offset_t offset;
240
241 if (length + ctx->gcm_remainder_len < block_size) {
242 /* accumulate bytes here and return */
243 bcopy(datap,
244 (uint8_t *)ctx->gcm_remainder + ctx->gcm_remainder_len,
245 length);
246 ctx->gcm_remainder_len += length;
247 ctx->gcm_copy_to = datap;
248 return (CRYPTO_SUCCESS);
249 }
250
251 if (out != NULL)
252 crypto_init_ptrs(out, &iov_or_mp, &offset);
253
254 do {
255 /* Unprocessed data from last call. */
256 if (ctx->gcm_remainder_len > 0) {
257 need = block_size - ctx->gcm_remainder_len;
258
259 if (need > remainder)
260 return (CRYPTO_DATA_LEN_RANGE);
261
262 bcopy(datap, &((uint8_t *)ctx->gcm_remainder)
263 [ctx->gcm_remainder_len], need);
264
265 blockp = (uint8_t *)ctx->gcm_remainder;
266 } else {
267 blockp = datap;
268 }
269
270 if ((ctx->gcm_flags & GMAC_MODE) != 0) {
271 /* add AAD to the hash */
272 ctx->gcm_len_a_len_c[0] +=
273 CRYPTO_BYTES2BITS(block_size);
274 GHASH(ctx, blockp, ctx->gcm_ghash);
275 } else {
276 gcm_encrypt_block(ctx, datap, out, block_size, blockp,
277 &iov_or_mp, &offset, encrypt_block, copy_block,
278 xor_block);
279 /* add ciphertext to the hash */
280 ctx->gcm_processed_data_len += block_size;
281 GHASH(ctx, ctx->gcm_tmp, ctx->gcm_ghash);
282 }
283
284 /* Update pointer to next block of data to be processed. */
285 if (ctx->gcm_remainder_len != 0) {
286 datap += need;
287 ctx->gcm_remainder_len = 0;
288 } else {
289 datap += block_size;
290 }
291
292 remainder = (size_t)&data[length] - (size_t)datap;
293
294 /* Incomplete last block. */
295 if (remainder > 0 && remainder < block_size) {
296 bcopy(datap, ctx->gcm_remainder, remainder);
297 ctx->gcm_remainder_len = remainder;
298 ctx->gcm_copy_to = datap;
299 goto out;
300 }
301 ctx->gcm_copy_to = NULL;
302
303 } while (remainder > 0);
304
305 out:
306 return (CRYPTO_SUCCESS);
307 }
308
309 /* ARGSUSED */
310 int
gcm_encrypt_final(gcm_ctx_t * ctx,crypto_data_t * out,size_t block_size,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* copy_block)(uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))311 gcm_encrypt_final(gcm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
312 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
313 void (*copy_block)(uint8_t *, uint8_t *),
314 void (*xor_block)(uint8_t *, uint8_t *))
315 {
316 uint64_t counter_mask = ntohll(0x00000000ffffffffULL);
317 uint8_t *ghash, *macp;
318 int i, rv;
319
320 if (out->cd_length <
321 (ctx->gcm_remainder_len + ctx->gcm_tag_len)) {
322 return (CRYPTO_DATA_LEN_RANGE);
323 }
324
325 ghash = (uint8_t *)ctx->gcm_ghash;
326
327 if (ctx->gcm_remainder_len > 0) {
328 uint64_t counter;
329 uint8_t *tmpp = (uint8_t *)ctx->gcm_tmp;
330
331 /*
332 * Here is where we deal with data that is not a
333 * multiple of the block size.
334 */
335
336 /*
337 * Increment counter.
338 */
339 counter = ntohll(ctx->gcm_cb[1] & counter_mask);
340 counter = htonll(counter + 1);
341 counter &= counter_mask;
342 ctx->gcm_cb[1] = (ctx->gcm_cb[1] & ~counter_mask) | counter;
343
344 encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_cb,
345 (uint8_t *)ctx->gcm_tmp);
346
347 macp = (uint8_t *)ctx->gcm_remainder;
348 bzero(macp + ctx->gcm_remainder_len,
349 block_size - ctx->gcm_remainder_len);
350
351 /* XOR with counter block */
352 for (i = 0; i < ctx->gcm_remainder_len; i++) {
353 macp[i] ^= tmpp[i];
354 }
355
356 /* add ciphertext to the hash */
357 GHASH(ctx, macp, ghash);
358
359 ctx->gcm_processed_data_len += ctx->gcm_remainder_len;
360 }
361
362 /*
363 * The gcm_len_a_len_c values are in host order until final,
364 * where we convert them to network order before GHASH
365 */
366 ctx->gcm_len_a_len_c[0] = htonll(ctx->gcm_len_a_len_c[0]);
367 ctx->gcm_len_a_len_c[1] =
368 htonll(CRYPTO_BYTES2BITS(ctx->gcm_processed_data_len));
369 GHASH(ctx, ctx->gcm_len_a_len_c, ghash);
370 encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_J0,
371 (uint8_t *)ctx->gcm_J0);
372 xor_block((uint8_t *)ctx->gcm_J0, ghash);
373
374 if (ctx->gcm_remainder_len > 0) {
375 rv = crypto_put_output_data(macp, out, ctx->gcm_remainder_len);
376 if (rv != CRYPTO_SUCCESS)
377 return (rv);
378 }
379 out->cd_offset += ctx->gcm_remainder_len;
380 ctx->gcm_remainder_len = 0;
381 rv = crypto_put_output_data(ghash, out, ctx->gcm_tag_len);
382 if (rv != CRYPTO_SUCCESS)
383 return (rv);
384 out->cd_offset += ctx->gcm_tag_len;
385
386 return (CRYPTO_SUCCESS);
387 }
388
389 /*
390 * This is used in the AES encrypt operations when we're using them
391 * for MAC computations. In these cases encrypted data is discarded
392 * and we keep only the final data block (used as the MAC).
393 */
394 int
gmac_mode_final(gcm_ctx_t * ctx,crypto_data_t * out,size_t block_size,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))395 gmac_mode_final(gcm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
396 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
397 void (*xor_block)(uint8_t *, uint8_t *))
398 {
399 uint8_t *ghash;
400 int rv;
401
402 /* Unlike encrypt_final, this has no output but the tag. */
403 if (out->cd_length < ctx->gcm_tag_len)
404 return (CRYPTO_DATA_LEN_RANGE);
405
406 ghash = (uint8_t *)ctx->gcm_ghash;
407
408 if (ctx->gcm_remainder_len > 0) {
409 uint8_t *macp;
410
411 /*
412 * Here is where we deal with data that is not a
413 * multiple of the block size.
414 *
415 * Not encrypting, so no counter, gcm_cb[].
416 */
417
418 macp = (uint8_t *)ctx->gcm_remainder;
419 bzero(macp + ctx->gcm_remainder_len,
420 block_size - ctx->gcm_remainder_len);
421
422 ctx->gcm_len_a_len_c[0] +=
423 CRYPTO_BYTES2BITS(ctx->gcm_remainder_len);
424 ctx->gcm_remainder_len = 0;
425 /* add AAD to the hash */
426 GHASH(ctx, macp, ghash);
427 }
428
429 /*
430 * We've stored the total auth data in bits here, but before we
431 * add it to the hash, we need to convert to network order.
432 * GMAC keeps gcm_len_a_len_c[1] = 0.
433 */
434 ctx->gcm_len_a_len_c[0] = htonll(ctx->gcm_len_a_len_c[0]);
435 GHASH(ctx, ctx->gcm_len_a_len_c, ghash);
436 encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_J0,
437 (uint8_t *)ctx->gcm_J0);
438 xor_block((uint8_t *)ctx->gcm_J0, ghash);
439
440 rv = crypto_put_output_data(ghash, out, ctx->gcm_tag_len);
441 if (rv != CRYPTO_SUCCESS)
442 return (rv);
443 out->cd_offset += ctx->gcm_tag_len;
444
445 return (CRYPTO_SUCCESS);
446 }
447
448 /*
449 * This will only deal with decrypting the last block of the input that
450 * might not be a multiple of block length.
451 */
452 static void
gcm_decrypt_incomplete_block(gcm_ctx_t * ctx,size_t block_size,size_t index,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))453 gcm_decrypt_incomplete_block(gcm_ctx_t *ctx, size_t block_size, size_t index,
454 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
455 void (*xor_block)(uint8_t *, uint8_t *))
456 {
457 uint8_t *datap, *outp, *counterp;
458 uint64_t counter;
459 uint64_t counter_mask = ntohll(0x00000000ffffffffULL);
460 int i;
461
462 /*
463 * Increment counter.
464 * Counter bits are confined to the bottom 32 bits
465 */
466 counter = ntohll(ctx->gcm_cb[1] & counter_mask);
467 counter = htonll(counter + 1);
468 counter &= counter_mask;
469 ctx->gcm_cb[1] = (ctx->gcm_cb[1] & ~counter_mask) | counter;
470
471 datap = (uint8_t *)ctx->gcm_remainder;
472 outp = &((ctx->gcm_pt_buf)[index]);
473 counterp = (uint8_t *)ctx->gcm_tmp;
474
475 /* authentication tag */
476 bzero((uint8_t *)ctx->gcm_tmp, block_size);
477 bcopy(datap, (uint8_t *)ctx->gcm_tmp, ctx->gcm_remainder_len);
478
479 /* add ciphertext to the hash */
480 GHASH(ctx, ctx->gcm_tmp, ctx->gcm_ghash);
481
482 /* decrypt remaining ciphertext */
483 encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_cb, counterp);
484
485 /* XOR with counter block */
486 for (i = 0; i < ctx->gcm_remainder_len; i++) {
487 outp[i] = datap[i] ^ counterp[i];
488 }
489 }
490
491 /*
492 * See notes above gcm_mode_encrypt_contiguous_blocks for GMAC
493 * cases (serving C_Verify here) -- same applies here.
494 */
495 int
gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t * ctx,char * data,size_t length,crypto_data_t * out,size_t block_size,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* copy_block)(uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))496 gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length,
497 crypto_data_t *out, size_t block_size,
498 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
499 void (*copy_block)(uint8_t *, uint8_t *),
500 void (*xor_block)(uint8_t *, uint8_t *))
501 {
502 size_t new_len;
503 uint8_t *new;
504
505 if ((ctx->gcm_flags & GMAC_MODE) != 0 &&
506 ctx->gcm_remainder_len != 0) {
507 /*
508 * For GMAC we need to hash the AAD as we go because
509 * we don't save the data for _final like GCM does.
510 */
511 uint8_t *macp, *ghash;
512
513 macp = (uint8_t *)ctx->gcm_remainder;
514 ghash = (uint8_t *)ctx->gcm_ghash;
515
516 bzero(macp + ctx->gcm_remainder_len,
517 block_size - ctx->gcm_remainder_len);
518
519 /* remainder AAD len in bits */
520 ctx->gcm_len_a_len_c[0] +=
521 CRYPTO_BYTES2BITS(ctx->gcm_remainder_len);
522 /* add AAD to the hash */
523 GHASH(ctx, macp, ghash);
524 }
525
526 /*
527 * Copy contiguous ciphertext input blocks to plaintext buffer.
528 * Ciphertext will be decrypted in the final.
529 */
530 if (length > 0) {
531 new_len = ctx->gcm_pt_buf_len + length;
532 #ifdef _KERNEL
533 new = kmem_alloc(new_len, ctx->gcm_kmflag);
534 bcopy(ctx->gcm_pt_buf, new, ctx->gcm_pt_buf_len);
535 kmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len);
536 #else
537 new = malloc(new_len);
538 bcopy(ctx->gcm_pt_buf, new, ctx->gcm_pt_buf_len);
539 free(ctx->gcm_pt_buf);
540 #endif
541 if (new == NULL)
542 return (CRYPTO_HOST_MEMORY);
543
544 ctx->gcm_pt_buf = new;
545 ctx->gcm_pt_buf_len = new_len;
546 bcopy(data, &ctx->gcm_pt_buf[ctx->gcm_processed_data_len],
547 length);
548 ctx->gcm_processed_data_len += length;
549 }
550
551 ctx->gcm_remainder_len = 0;
552 return (CRYPTO_SUCCESS);
553 }
554
555 int
gcm_decrypt_final(gcm_ctx_t * ctx,crypto_data_t * out,size_t block_size,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))556 gcm_decrypt_final(gcm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
557 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
558 void (*xor_block)(uint8_t *, uint8_t *))
559 {
560 size_t pt_len;
561 size_t remainder;
562 uint8_t *ghash;
563 uint8_t *blockp;
564 uint8_t *cbp;
565 uint64_t counter;
566 uint64_t counter_mask = ntohll(0x00000000ffffffffULL);
567 int processed = 0, rv;
568
569 ASSERT3U(ctx->gcm_processed_data_len, ==, ctx->gcm_pt_buf_len);
570
571 pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
572 ghash = (uint8_t *)ctx->gcm_ghash;
573 blockp = ctx->gcm_pt_buf;
574 remainder = pt_len;
575
576 if ((ctx->gcm_flags & GMAC_MODE) != 0) {
577 ASSERT3U(remainder, ==, 0);
578 }
579
580 while (remainder > 0) {
581 /* Incomplete last block */
582 if (remainder < block_size) {
583 bcopy(blockp, ctx->gcm_remainder, remainder);
584 ctx->gcm_remainder_len = remainder;
585 /*
586 * not expecting anymore ciphertext, just
587 * compute plaintext for the remaining input
588 */
589 gcm_decrypt_incomplete_block(ctx, block_size,
590 processed, encrypt_block, xor_block);
591 ctx->gcm_remainder_len = 0;
592 goto out;
593 }
594 /* add ciphertext to the hash */
595 GHASH(ctx, blockp, ghash);
596
597 /*
598 * Increment counter.
599 * Counter bits are confined to the bottom 32 bits
600 */
601 counter = ntohll(ctx->gcm_cb[1] & counter_mask);
602 counter = htonll(counter + 1);
603 counter &= counter_mask;
604 ctx->gcm_cb[1] = (ctx->gcm_cb[1] & ~counter_mask) | counter;
605
606 cbp = (uint8_t *)ctx->gcm_tmp;
607 encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_cb, cbp);
608
609 /* XOR with ciphertext */
610 xor_block(cbp, blockp);
611
612 processed += block_size;
613 blockp += block_size;
614 remainder -= block_size;
615 }
616
617 out:
618 /*
619 * We've stored the total auth data in bits here, but before we
620 * add it to the hash, we need to change byte order.
621 */
622 ctx->gcm_len_a_len_c[0] = htonll(ctx->gcm_len_a_len_c[0]);
623 ctx->gcm_len_a_len_c[1] = htonll(CRYPTO_BYTES2BITS(pt_len));
624 GHASH(ctx, ctx->gcm_len_a_len_c, ghash);
625 encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_J0,
626 (uint8_t *)ctx->gcm_J0);
627 xor_block((uint8_t *)ctx->gcm_J0, ghash);
628
629 /* compare the input authentication tag with what we calculated */
630 if (bcmp(&ctx->gcm_pt_buf[pt_len], ghash, ctx->gcm_tag_len)) {
631 /* They don't match */
632 return (CRYPTO_INVALID_MAC);
633 } else {
634 rv = crypto_put_output_data(ctx->gcm_pt_buf, out, pt_len);
635 if (rv != CRYPTO_SUCCESS)
636 return (rv);
637 out->cd_offset += pt_len;
638 }
639 return (CRYPTO_SUCCESS);
640 }
641
642 static int
gcm_validate_args(CK_AES_GCM_PARAMS * gcm_param)643 gcm_validate_args(CK_AES_GCM_PARAMS *gcm_param)
644 {
645 size_t tag_len;
646
647 /*
648 * Check the length of the authentication tag (in bits).
649 */
650 tag_len = gcm_param->ulTagBits;
651 switch (tag_len) {
652 case 32:
653 case 64:
654 case 96:
655 case 104:
656 case 112:
657 case 120:
658 case 128:
659 break;
660 default:
661 return (CRYPTO_MECHANISM_PARAM_INVALID);
662 }
663
664 if (gcm_param->ulIvLen == 0)
665 return (CRYPTO_MECHANISM_PARAM_INVALID);
666
667 return (CRYPTO_SUCCESS);
668 }
669
670 static void
gcm_format_initial_blocks(uchar_t * iv,ulong_t iv_len,gcm_ctx_t * ctx,size_t block_size,void (* copy_block)(uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))671 gcm_format_initial_blocks(uchar_t *iv, ulong_t iv_len,
672 gcm_ctx_t *ctx, size_t block_size,
673 void (*copy_block)(uint8_t *, uint8_t *),
674 void (*xor_block)(uint8_t *, uint8_t *))
675 {
676 uint8_t *cb;
677 ulong_t remainder = iv_len;
678 ulong_t processed = 0;
679 uint8_t *datap, *ghash;
680 uint64_t len_a_len_c[2];
681
682 ghash = (uint8_t *)ctx->gcm_ghash;
683 cb = (uint8_t *)ctx->gcm_cb;
684 if (iv_len == 12) {
685 bcopy(iv, cb, 12);
686 cb[12] = 0;
687 cb[13] = 0;
688 cb[14] = 0;
689 cb[15] = 1;
690 /* J0 will be used again in the final */
691 copy_block(cb, (uint8_t *)ctx->gcm_J0);
692 } else {
693 /* GHASH the IV */
694 do {
695 if (remainder < block_size) {
696 bzero(cb, block_size);
697 bcopy(&(iv[processed]), cb, remainder);
698 datap = (uint8_t *)cb;
699 remainder = 0;
700 } else {
701 datap = (uint8_t *)(&(iv[processed]));
702 processed += block_size;
703 remainder -= block_size;
704 }
705 GHASH(ctx, datap, ghash);
706 } while (remainder > 0);
707
708 len_a_len_c[0] = 0;
709 len_a_len_c[1] = htonll(CRYPTO_BYTES2BITS(iv_len));
710 GHASH(ctx, len_a_len_c, ctx->gcm_J0);
711
712 /* J0 will be used again in the final */
713 copy_block((uint8_t *)ctx->gcm_J0, (uint8_t *)cb);
714 }
715 }
716
717 /*
718 * The following function is called at encrypt or decrypt init time
719 * for AES GCM mode.
720 */
721 int
gcm_init(gcm_ctx_t * ctx,unsigned char * iv,size_t iv_len,unsigned char * auth_data,size_t auth_data_len,size_t block_size,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* copy_block)(uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))722 gcm_init(gcm_ctx_t *ctx, unsigned char *iv, size_t iv_len,
723 unsigned char *auth_data, size_t auth_data_len, size_t block_size,
724 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
725 void (*copy_block)(uint8_t *, uint8_t *),
726 void (*xor_block)(uint8_t *, uint8_t *))
727 {
728 uint8_t *ghash, *datap, *authp;
729 size_t remainder, processed;
730
731 /* encrypt zero block to get subkey H */
732 bzero(ctx->gcm_H, sizeof (ctx->gcm_H));
733 encrypt_block(ctx->gcm_keysched, (uint8_t *)ctx->gcm_H,
734 (uint8_t *)ctx->gcm_H);
735
736 gcm_format_initial_blocks(iv, iv_len, ctx, block_size,
737 copy_block, xor_block);
738
739 authp = (uint8_t *)ctx->gcm_tmp;
740 ghash = (uint8_t *)ctx->gcm_ghash;
741 bzero(authp, block_size);
742 bzero(ghash, block_size);
743
744 processed = 0;
745 remainder = auth_data_len;
746 do {
747 if (remainder < block_size) {
748 if ((ctx->gcm_flags & GMAC_MODE) != 0) {
749 /*
750 * GMAC does not encrypt or decrypt, and
751 * therefore doesn't keep any out buffer,
752 * so gcm_remainder holds any remainder
753 * that GMAC needs to handle.
754 */
755 bcopy(&(auth_data[processed]),
756 ctx->gcm_remainder, remainder);
757 ctx->gcm_remainder_len = remainder;
758 break;
759 }
760 /*
761 * There's not a block full of data, pad rest of
762 * buffer with zero
763 */
764 bzero(authp, block_size);
765 bcopy(&(auth_data[processed]), authp, remainder);
766 datap = (uint8_t *)authp;
767 remainder = 0;
768 } else {
769 datap = (uint8_t *)(&(auth_data[processed]));
770 processed += block_size;
771 remainder -= block_size;
772 }
773
774 /* add auth data to the hash */
775 GHASH(ctx, datap, ghash);
776
777 } while (remainder > 0);
778
779 if ((ctx->gcm_flags & GMAC_MODE) != 0) {
780 ctx->gcm_len_a_len_c[0] =
781 CRYPTO_BYTES2BITS(auth_data_len - remainder);
782 }
783
784 return (CRYPTO_SUCCESS);
785 }
786
787 int
gcm_init_ctx(gcm_ctx_t * gcm_ctx,char * param,size_t block_size,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* copy_block)(uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))788 gcm_init_ctx(gcm_ctx_t *gcm_ctx, char *param, size_t block_size,
789 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
790 void (*copy_block)(uint8_t *, uint8_t *),
791 void (*xor_block)(uint8_t *, uint8_t *))
792 {
793 int rv;
794 CK_AES_GCM_PARAMS *gcm_param;
795
796 if (param != NULL) {
797 gcm_param = (CK_AES_GCM_PARAMS *)(void *)param;
798
799 if ((rv = gcm_validate_args(gcm_param)) != 0) {
800 return (rv);
801 }
802
803 gcm_ctx->gcm_tag_len = gcm_param->ulTagBits;
804 gcm_ctx->gcm_tag_len >>= 3;
805 gcm_ctx->gcm_processed_data_len = 0;
806
807 /* these values are in bits */
808 gcm_ctx->gcm_len_a_len_c[0] =
809 CRYPTO_BYTES2BITS(gcm_param->ulAADLen);
810
811 rv = CRYPTO_SUCCESS;
812 gcm_ctx->gcm_flags |= GCM_MODE;
813 } else {
814 rv = CRYPTO_MECHANISM_PARAM_INVALID;
815 goto out;
816 }
817
818 if (gcm_init(gcm_ctx, gcm_param->pIv, gcm_param->ulIvLen,
819 gcm_param->pAAD, gcm_param->ulAADLen, block_size,
820 encrypt_block, copy_block, xor_block) != 0) {
821 rv = CRYPTO_MECHANISM_PARAM_INVALID;
822 }
823 out:
824 return (rv);
825 }
826
827 int
gmac_init_ctx(gcm_ctx_t * gcm_ctx,char * param,size_t block_size,int (* encrypt_block)(const void *,const uint8_t *,uint8_t *),void (* copy_block)(uint8_t *,uint8_t *),void (* xor_block)(uint8_t *,uint8_t *))828 gmac_init_ctx(gcm_ctx_t *gcm_ctx, char *param, size_t block_size,
829 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
830 void (*copy_block)(uint8_t *, uint8_t *),
831 void (*xor_block)(uint8_t *, uint8_t *))
832 {
833 int rv;
834 CK_AES_GMAC_PARAMS *gmac_param;
835
836 if (param == NULL)
837 return (CRYPTO_MECHANISM_PARAM_INVALID);
838
839 gmac_param = (CK_AES_GMAC_PARAMS *)(void *)param;
840
841 gcm_ctx->gcm_tag_len = CRYPTO_BITS2BYTES(AES_GMAC_TAG_BITS);
842 gcm_ctx->gcm_processed_data_len = 0;
843
844 /* these values are in bits */
845 gcm_ctx->gcm_len_a_len_c[0] = 0;
846 gcm_ctx->gcm_len_a_len_c[1] = 0;
847
848 rv = CRYPTO_SUCCESS;
849 gcm_ctx->gcm_flags |= GMAC_MODE;
850
851 if (gcm_init(gcm_ctx, gmac_param->pIv, AES_GMAC_IV_LEN,
852 gmac_param->pAAD, gmac_param->ulAADLen, block_size,
853 encrypt_block, copy_block, xor_block) != 0) {
854 rv = CRYPTO_MECHANISM_PARAM_INVALID;
855 }
856
857 return (rv);
858 }
859
860 void *
gcm_alloc_ctx(int kmflag)861 gcm_alloc_ctx(int kmflag)
862 {
863 gcm_ctx_t *gcm_ctx;
864
865 /* Free in crypto_free_mode_ctx() */
866 #ifdef _KERNEL
867 if ((gcm_ctx = kmem_zalloc(sizeof (gcm_ctx_t), kmflag)) == NULL)
868 #else
869 if ((gcm_ctx = calloc(1, sizeof (gcm_ctx_t))) == NULL)
870 #endif
871 return (NULL);
872
873 gcm_ctx->gcm_flags = GCM_MODE;
874 return (gcm_ctx);
875 }
876
877 void *
gmac_alloc_ctx(int kmflag)878 gmac_alloc_ctx(int kmflag)
879 {
880 gcm_ctx_t *gcm_ctx;
881
882 /* Free in crypto_free_mode_ctx() */
883 #ifdef _KERNEL
884 if ((gcm_ctx = kmem_zalloc(sizeof (gcm_ctx_t), kmflag)) == NULL)
885 #else
886 if ((gcm_ctx = calloc(1, sizeof (gcm_ctx_t))) == NULL)
887 #endif
888 return (NULL);
889
890 gcm_ctx->gcm_flags = GMAC_MODE;
891 return (gcm_ctx);
892 }
893
894 void
gcm_set_kmflag(gcm_ctx_t * ctx,int kmflag)895 gcm_set_kmflag(gcm_ctx_t *ctx, int kmflag)
896 {
897 ctx->gcm_kmflag = kmflag;
898 }
899
900
901 #ifdef __amd64
902 /*
903 * Return 1 if executing on Intel with PCLMULQDQ instructions,
904 * otherwise 0 (i.e., Intel without PCLMULQDQ or AMD64).
905 * Cache the result, as the CPU can't change.
906 *
907 * Note: the userland version uses getisax(). The kernel version uses
908 * is_x86_featureset().
909 */
910 static int
intel_pclmulqdq_instruction_present(void)911 intel_pclmulqdq_instruction_present(void)
912 {
913 static int cached_result = -1;
914
915 if (cached_result == -1) { /* first time */
916 #ifdef _KERNEL
917 cached_result =
918 is_x86_feature(x86_featureset, X86FSET_PCLMULQDQ);
919 #else
920 uint_t ui = 0;
921
922 (void) getisax(&ui, 1);
923 cached_result = (ui & AV_386_PCLMULQDQ) != 0;
924 #endif /* _KERNEL */
925 }
926
927 return (cached_result);
928 }
929 #endif /* __amd64 */
930